1ca988aa7198e6afbc33109fbc3a9df692f3d89eb8b5e1f98c3205c0b4d56bb2

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
Size

24.3MB
MD5

975193c01bf3defcb35037e2304c78c6
SHA1

a45d1ecb04cd376430a71fc3f7894d29c5fde687
SHA256

1ca988aa7198e6afbc33109fbc3a9df692f3d89eb8b5e1f98c3205c0b4d56bb2
SHA512

79a280631cbe8e7a81a8b8ffe6a7853566db4bedbdc9dd9089cb3bc32e59cac84e1f7e0fd0c26a8066713fe01e190489564fa1c6f8974738107f86f44db76d8b
SSDEEP

196608:HP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018k4y:HPboGX8a/jWWu3cI2D/cWcls1l4y

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2652	alg.exe
888	DiagnosticsHub.StandardCollector.Service.exe
412	fxssvc.exe
3456	elevation_service.exe
1212	elevation_service.exe
2500	maintenanceservice.exe
4508	msdtc.exe
1928	OSE.EXE
1812	PerceptionSimulationService.exe
3220	perfhost.exe
1420	locator.exe
400	SensorDataService.exe
2628	snmptrap.exe
4436	spectrum.exe
3620	ssh-agent.exe
3632	TieringEngineService.exe
2088	AgentService.exe
1072	vds.exe
3368	vssvc.exe
620	wbengine.exe
4692	WmiApSrv.exe
1208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5a79eb0e1ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaw.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_107921\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d3b013ffaadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3741b3ffaadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e953983efaadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030da8236faadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0152438faadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1dda13efaadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe

pid	process
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	412	fxssvc.exe
Token: SeRestorePrivilege	3632	TieringEngineService.exe
Token: SeManageVolumePrivilege	3632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2088	AgentService.exe
Token: SeBackupPrivilege	3368	vssvc.exe
Token: SeRestorePrivilege	3368	vssvc.exe
Token: SeAuditPrivilege	3368	vssvc.exe
Token: SeBackupPrivilege	620	wbengine.exe
Token: SeRestorePrivilege	620	wbengine.exe
Token: SeSecurityPrivilege	620	wbengine.exe
Token: 33	1208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeDebugPrivilege	5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5020	2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2652	alg.exe
Token: SeDebugPrivilege	2652	alg.exe
Token: SeDebugPrivilege	2652	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1208 wrote to memory of 5456	1208	SearchIndexer.exe	SearchProtocolHost.exe
PID 1208 wrote to memory of 5456	1208	SearchIndexer.exe	SearchProtocolHost.exe
PID 1208 wrote to memory of 5488	1208	SearchIndexer.exe	SearchFilterHost.exe
PID 1208 wrote to memory of 5488	1208	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_975193c01bf3defcb35037e2304c78c6_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2828

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1212

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:400

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4436

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3096

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5456

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
94a88ad504d43414e808379e0660812d

SHA1
09738e1ab5fe30a0d67f2cff61b955aee63ef96d

SHA256
4c9fe07e4cf81f6f508cf26d9ab9cbf009c105f2a2de01aed6e3459494d2d9d7

SHA512
b6dd03ba9e8a6535d33ec6e018343f02f35adabeaec334a417176bcab7299057cc96e87f6fa536ecfdba6664708f66c750e1348c9c6bc81d5e473c6e22bfa8f1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.3MB

MD5
3d3cbda71478b97cce8fbd46d45b6dc1

SHA1
85c6b05ef09c9c73a41745dd931af17c059e1739

SHA256
6d9f65f7877690df64954bde55c63f808650a7d99c38c25d64596fec40bd8c8e

SHA512
fad1b2ada742beae554598d43e7626b54a01eee747b26140247380c8736d83f190b58e37ee9445a837a4c1a1b7fa0f0dfd96f1267d7f13d31142915a50a00afa

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.6MB

MD5
a65b4cd4fd954e2aa5ca41705b8db861

SHA1
a74084a3cedc638bf53bea75fdf3c14417714138

SHA256
57c3ff6a5836a7ab1318b532fa3ddeee7849bd865f89bcfcfcf390201d0a44dc

SHA512
5e1cdefcdd3c97403a07ebf9c6ac8a097f8f712b350d7dde18cf150f39f6a32b1776c00d9dad07204d5833af6b9294f0e6ac43bda89f8b47cdbac2ac62db9dbd

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
19372104788cdb3b8a73e77501dcf54b

SHA1
01f4520f5e2fa6e29d4ffb4e3d4d9b7041dd179a

SHA256
464e918b368c2fbe5f6d61640d43837f03427eb23d6fb02f0795c7a108d6e38f

SHA512
1cdbd8ac274169526e238069dcf0f26db2adbb878bf1145b20f998bc3778a9f864fe5138d28a225137d98a076cff2c06f9c301c5347bf168d8210ecfd7e036fc

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a0c4deb8d9cabf952b8489223b9551bf

SHA1
0fdfb1ecb7c28ca2aed70f2770092a69acaf692c

SHA256
da7b0dd4fe79125cec2eabd52aaf02d9b9aa40147bf1f78f56c293b3eadc1bf6

SHA512
7327af70d7d7194b22d8ecafb175586f8e2be96b5f99cb6947e7a7ab79befb32fcba93c7e530c39f57441b984675de484dfc2e0ac07ff552fef996e0df33e834

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.1MB

MD5
64efd0c53a5395bd6338fa95325790af

SHA1
a760767146bde2c9a88bad15601dfd1dd11d4048

SHA256
a0bc147eee64b430143684826a26cb2e059b54e86e1d10f54bc60284cd561a1d

SHA512
2cf20d1e5f7a1ced3a0211c3d8dac229c80067ab600ca25a0095b8c971061aacaef4122428f5cdcccd6e21dedc368039a8f2f517079f6bd5e0032d4bc725eec9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.3MB

MD5
66da60627d76ce2994f03c91a02826df

SHA1
bc2c19edf5929d64230efa37f4f2c948738a9184

SHA256
d6d9705f57d41b076dfc11d7e4ada5449e6ac0580f62744a8beb10cc0e198f93

SHA512
433f17eb24df03e0d98a410d6f18855911c0604628f8cbd8abcc192b576e1ea3e56e8ee8d5149d01cb97adb0732ac1b10f08b39e5ea9a0ebec95e7fdfecbde44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
1b5c3edffd9c1d9a6364f92f59499169

SHA1
74d8d939641025d7b987ef7b404773ad5f39b37f

SHA256
36114f029018a6d0658f27a4762b60cb755b91ca5525a7bc71b89eb3b7de67ce

SHA512
4b09f2edcd95eab13d2c3c0093915709666a6670da5fbec669048f7eb4b2b26721752d0c5b02185a3f89ed549de0790ad79fc4d0cc1b0785c6c70e34f4c628d0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.4MB

MD5
1e94b55c3aa8438003303004974ae067

SHA1
41ca2b15768e06dd0f9e0aa79fb96237ce97aef3

SHA256
eb445c8526cf00badf795ad5fce767af6b4d0485a95270f719cb567708151a9d

SHA512
2e30f4652f7bb6716b1030fe14221bd8ff1f0449604de3a3f5fab7fbd041249a61d60931ebd1b27bc1672852f8728c4b69ca4867f289ef8c3d7dd9e40c743dc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
05375b86910961a3478765e69669dedb

SHA1
dd56504ec1d777639ac3c4bd7839ee372526789c

SHA256
c94d57fd8db1c2f3dc78c9f9d173785ea0c891e0e5e8062ff3efd85d0f1db300

SHA512
6bdf405e850338a21c1b96f3b1c8246b95ea497f319889d6d86f82c21a5656e9e0061a78ccee635a37d6bca9b8063dc971522954ea501f3a88b8b2660d59abe4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
8170fcc5b93c01e15cf84a57132a8e45

SHA1
605611dd91b1eaa2964ca207c6416020151809f4

SHA256
9e4438ceb7fba81e2b4080049c6f120915461d0148f0fff3df2d81dfe74936be

SHA512
df8fa6e3d4ccccecc0fe1d0027ef84fa4d68512bc8a4272c28533857ad148ec6aaa6cb8142f6e91c29dafce62ba6315eef3cd4f0fe9aaaebf988d04ed59f08ac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a5ec2cca952aa998b9e8c659b59ef1ba

SHA1
19a5ca034e900942985465e1498ebd8da31d9d77

SHA256
a8c550f87d16d66e7f3267a9bf650bf5af00d6683ab52462fcc64e79f805ea1a

SHA512
4fe44f898de5e2d3b570371800e73688025996a03940366574fe61e47afb66aaf4e62b545478235dcfc2ff8d745e32310883c4d731e9ac38b6ae197257c796bc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.3MB

MD5
d814ab5ac993a52b7965fd2146c7cd12

SHA1
d82b43619fb12ed188bc639b85fb9a88785c15cf

SHA256
133f4a17a9fb6da1799247db10435432842c52deada31d2b19e0450082a6aa6e

SHA512
e45a5d2fe8356edb9f5523820bddce9c4f956fdc63bf42029f2d4ad1c53d39bf5a16526494004c0df001774393fb7552b818061a2e16dd03723462999f55d958

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
970df0feef37e3507bc5c90601a0e1e8

SHA1
7e423d80f5a6681a67039ce8b3752888b48af7a9

SHA256
ba63274b4717e1964a0c20e9365201c16229b0b98185fe1b0ec2199b4012e239

SHA512
8c8cf5f33e043f72fb45b8e3e6f7cdcc366dbcd38fa383c25083c8301fd48808624c86d992b95b9891ec5e6d5609a083bb51051cdbdc347300c3a9d3c2611cd8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
0f5f16b1e49d9708b6ef784056bd45aa

SHA1
dbc4c6884a6c35881f11153d8113a70f3b7f45d7

SHA256
a57e4efae080f622ef040338bef05dac35dc7db9340d9392555251a1bf05356d

SHA512
376d46027a4c84856b38bb03ff2fc5fec9955601e9a77f499ada7b9b208fd6bd2d1a9efdac0c43811222e879f11bd9ab09ab9744939d9bd9e987c208703e69dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
da8bbd846d88af342abc4c3fc475e50d

SHA1
789f25667ff622a1c3d1210be8835b549b1fd198

SHA256
af8294e3ef0abcb158aec4d8b7dca6794a7f1d8937c07817602033134a556325

SHA512
96df6a4caca776b830e2ab1bae48493ffce8a358d12aa95ef218e2bc3b252f7283de02d2ffd94ea663d4d5186a8c30c84c328a7e4ec1b577f1f4eb769e3678b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
c51a599834d1f6497dfc42f524305b49

SHA1
d7d08824997b957c2000d5489ec97e9da585b9ef

SHA256
0b421e2eee6115d7f5d4b2fcb98eff19d5b9a125d04224a8e0986d308c7eb8e5

SHA512
7f9061ffc2579d18326e37b086c23d00923b7047c7ee4046fa42cb502821a6179e13f9e88eb59f461e797faf3897b2f50215f0496126a0b6e6281298d2e5405f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
9b3e18ea1765683a5894b6e275e4c1ab

SHA1
2f3a86513ba69a1273d2679defee1ff0a729dc79

SHA256
82a34a54e1f5428e1923185bd043d17376d040681ffcdae9fcb87ceff1c1ea5b

SHA512
37d9d997b04f5f43c1eab4251ec74b8e1ed43ced83921969783b070db3d4e4197058773acb761bf556683edacaffecd008b25c687906136684d648b7f5c061ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
3085fdee8458b7b2a2e9da05ff3f0dfb

SHA1
2d89ca9c40c9c94614850619e2314a29ddf363bc

SHA256
2737dac01c2fbb2c074c8fc47f2b2c699e6acc6fb009821163265b7a1ab48bf9

SHA512
ab4547d1d9133c7689a479301269ca4f6ff47b902342417e90e606fe0e265461a9c1e6b79c1a637105f29bac94634f945924cc900225c877ce9efe14d2bc9799

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
5e0d0efc3e7a28be81b2cdbdacd5a5c2

SHA1
591b36529cc842ca73596db6f1ac188a83ae19ad

SHA256
1e71ed8bd375a6637b4efd17e4c831270f7fd6d02ccb47cd7413b897f6115014

SHA512
40b268a229e78cff509874e567f2aaa6832ef1676960d7b53e3552be60f5ad3db93a395d81226e2aa0c100a9a2f377b1ea7eace66f1cf5f34f2a46e7a8da884b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.1MB

MD5
7acbba2e2c17a286a366d689b81411d2

SHA1
296ee5ba7a4d38e1dec8f39bf411d6224de45d5a

SHA256
1828ad85e70c3271e6edd9319d99b540ad6fa88a9c4ab2ba935512597c0f0379

SHA512
8a6c1afd233264a80164b8286284cf4cd5d2f26b71f8fa578cac598ac360a8fe07adfb56e1f8a9d69ccf9f6b38184b4a4632adaf17e32062911677652097bcc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.1MB

MD5
07dfdc6a6c6ead4aa7b30bbaa9478cde

SHA1
3cd8916095ce5f48b4605cd5c064fdebc5bcb846

SHA256
9d6d9e94fd5d0b10e25c489b93878e6901b7d1d9bff69e1707f080f6f3e097a1

SHA512
c3ae45012932ce3528bf134cc321e4df53351182f83d4f5840cb3d6023c33c1930b66c3ccb171f1814dd0b944c6d411772ded95ca26623b4eb9aa673aab374f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.1MB

MD5
67042e29be7ab6bab030de5114fd5cc5

SHA1
7ad756239af4a55f16be776c73771122e25363cc

SHA256
4148c2b5be6b935904013b04b3e5866617c3561890fde8408ea73e1cf71eda00

SHA512
df534d250f4ed40955ec4cc26ad7125c8af9754bfe3d65ee42446d68e3283e0954a439acf071fc68ab300ed16ac4d644236769427d7a2bd832472103390c0a6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.1MB

MD5
8e0e838d056271f7262c69cab018d426

SHA1
99a32932a56f3a82b34ab17450d070b26ee8c69c

SHA256
2407300977507ef98d2656ff676f7396d9444709e6de801ae5959b77108834f1

SHA512
18ce6f48bd93716f210700a19852851fc7f6adf671a827f7680ffc5b6ab3c63c2463caa90fabb555b3f6cc90f8e33b4b8a77b0e218396e725d5bd94806b5f372

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.1MB

MD5
0c3e4a6232c965dde4714895c552a06f

SHA1
8d51021127c6da80f464e42ed3b864f5fa9dbba8

SHA256
4bc2135e5fc21583ea100db8704a54284bd2723aa5b647673a151095bb441eb0

SHA512
b7b8a80c4ab75fcb79c49f0494cac85f810260c0cd9fca7d5d84e94f73fa733155d4621a5d5b48d93eee3c8fa6e4496a00370ac660fd381a0b14ad87a2259185

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.1MB

MD5
acb7b5b0644ef1b9d6d087c6113ea7ad

SHA1
2cb92491c57c4f419fd5bb3e8799fbff58db51ae

SHA256
9c68643eaa5f121240cc8c4c634b26a6be710d0251370aa57041f905f443a3fe

SHA512
fde6a32fff5e53c81e1a221654722072260ca387a7edfea8544e3f70ea28e5ca26a634f3b69ae6aef03204bf7cb8d3785bd4b1d3eed23fcef0073d0c3a1910c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.1MB

MD5
03fedc2f104bceb5401c27978213c048

SHA1
c38f2735bdc1056b66a900a653f527a7ab48f900

SHA256
39cfa4baad63a2d74230c345ec45b4b84602ee999da1d5c118ed1b65fc64dd85

SHA512
8a634ee7d6ba048797f0c5a6c75e6acd0a991c2ba1f1a683046dc2431a26a077fdff1ffaefecd33c69331d3a5042c48096a89bf389518fa76843d78308172918

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.3MB

MD5
99b3702804de5182ec1c362e5ac4297f

SHA1
13a5cb27b743b331f9123391eaaa7c1c6a34b6ca

SHA256
3e46c16d34676a56dcfbb7547e376161e12537bd31f26def42eb81b41220834d

SHA512
32772961408c916ce20b3780c0ef898357c1e550d42828672a5272d2d0b63a02f063c4d164d5538804e2be9c394c0d256f1453f65fe243ad67c7c3240d28be24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.1MB

MD5
09ca66f3395ae5ff0192ec49e91aa799

SHA1
80efbc42d2b0fc213047970ef5f6303a5bfae06a

SHA256
e5b151c152bdb207663ceb76dd669cac5075827981dfdf3b9718b4a97e6ace8f

SHA512
269335464093fba48d827380458b336513ab762bb2a16e9c77d5b5214d885263c6bd5b0564510d1f3c672dc80b4cd531fa5aafd517a3b0dcd2cb5e7ba611d146

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.1MB

MD5
43ddd865674f7f0a4e65a53e5dc47034

SHA1
41a15ad288327a4318b608f29a0f2bf520908c2f

SHA256
d411cd42b86b21dc7a682cf5c3b8e6c6c368ba3a9c13cd5385b3e64d750c04d7

SHA512
2259fa313282f98e88ab354779e13cb1a495f4d39324bae70c4a9ea0d5bff2d709fac6b32a63fda7ee237a11e785182199aeadde28f6d054d482cf20bc7b07dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.2MB

MD5
a643be255dda0647e4b43369958f1ce1

SHA1
ad4ac5707b82277dc68c03d0e9fd6b16b13545ee

SHA256
c762940f31aedf23472a77a9a5f6e09e11be77d0414ef76acb661956d7c707ed

SHA512
8db370af022325e9e5b5b48711aefe447678fab294b3f8e3db67677040646e902fb0b44685173e55747a123b4ef155d3d9338d9a30e13eb2e2374bbf3407e9fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.1MB

MD5
1c0aadc48d06512201e98fbfddb6030b

SHA1
b5a79819f5536f5763d19a405eb8ab4efb7f97cb

SHA256
b86042dab7846dfb6623fd4e47f4bd47d12a31b7b9a4e916a877ab339fbc03d5

SHA512
40108b7167806d88eb24effc3ebe3d19348bac6cbca334c85556eae40554543c6d6ff949b503a24176f0322b50585b626509ed2a22766c31a1b9f8dd1ae951c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.1MB

MD5
1ff4598fcc1c00be25cd7ace0510e1ca

SHA1
a067e42cdc6066badc059acc0a12f7398adb0483

SHA256
46cea7f199511fa3e85f12aa3fd66301f2cc22d786e67c638ab417cae2d1c25c

SHA512
ac36ea6370086d979cd5ec1f86277dd5fad2a17fa0dc95fd8dce10025dcf56d11e814a9055c55e1f79e4e1d7b897d1c86d954a93fc315397e5d9101339bcb542

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.2MB

MD5
35f484cd371770d16c36c2d55bf92a16

SHA1
602a7f224bd35c1bfbfca6cbe3b796e8ab7dcd40

SHA256
d9724d2b734423a57bfc2a770655fbb96d0b02541d65f08a78674fd96ecb6c17

SHA512
b15949fca0cb8b259a4875ddfd296456a6df5d91303b0ad819d5a29012d380da1b86789d0e1f3981ecd69dbee866fbd25e3b3499d272e8d14d1dc9282c41a4bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.3MB

MD5
8a034c27162b1ba48598e89dcfba4349

SHA1
c443a82b9607b66f44fe9eea757897f242806b80

SHA256
dd7bf5d61960f26f4b892211ca6772d81f38ac37db579c7e8a12fc46a92ef799

SHA512
655e61f8b2a5b6b05b8f85a45bfa5efd7b490be0fa6895949679e69e68c07d71ef11e071edf51ac8815bb97956e9dda536a89c982b337078974edeca0b9e6fc2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
ff2cecb16da286f919f973665e97331f

SHA1
6dc8f161390a94b9712ffe9f1854fbebced9870c

SHA256
39ebd06d469a223bee4385535c97818eb995a532a684c3266a61d3efd56b3709

SHA512
036759508d157b4805993d2b6202662b99d9a0e50a2baff28e768005c255fa32af7a96967adf82ff16bd82cd2b78a1ea5e5b390f212960997fdec8deab1f2d8d

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.2MB

MD5
706928951b0cfa749a34d518271ded99

SHA1
c7ba3021f6c58a184886f6482ff799bfcc7622e3

SHA256
51cf23ccf8ae4af24700037caac09fdffb2391041cd13d27cfcfe13aa7ced5cd

SHA512
1ea39b56a02fa524fe9ea334b1fa226f6294840a2a0c460f1214307fe6755fd683e3932ac9dcd7b23a0fc4336d2489171debd61270e8fcb835d62c1c535e4fb5

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.1MB

MD5
0aba3addadc716867308d7e1aa10cf80

SHA1
dab458ace2cc52b9df03d86caf56d6e7e758d261

SHA256
ff8f83e26861080262dbfd3ca2bea8f50abda8cf70e21563e8e8c73e84fca93a

SHA512
c5087ec3d9ffb89a6693d1e117fa45e37e445a8b29d6305752b5e562e0bb5dbc5b5f975c9ef1e1990adf2aab9d5d6c0a41039dfe0597c2e50955718c5ad610d7

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
2f73a4f8e6c49948ca9ed20594ca8fe7

SHA1
f176b236a77e20c18c5d09984f716f477fcd7ed0

SHA256
d8a1a2dcfde222902739987fa207418e330ff1ce599cf24559746c8a8d922f58

SHA512
a21828ac9a7aa7cce8b4ba0761f0bb047041c262c6c7508e1f461001e5f2396b1f11f2407a554b646fed3e001973347545f129e8677423196842f0d4ee032ab0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
f4ea878856bbbd556adfc341237cdef4

SHA1
c6e60bec71918e8360112d3f258c01d0c19d85fa

SHA256
9d21213c79ec09e52c2f3c8030a293ddfbb9452d9e76e719bec96015937bc6d9

SHA512
da1b5020094019b164502c0a3116b41cb5f47f97d7015a6a1ca01ca6396606c225f62c4274d10953b38e488a511f59ee167db97e2b9c200a133037ab9cec5268

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
fee1ee3b26e52d9796b0f27a2334e77f

SHA1
94e4d7cc80cc167fe677663c3e1b16297a6ddd60

SHA256
b1e0c086f4b48a1425e5f02f337ec7f1216245e4fb225e99bab29a1b84ec9c41

SHA512
40719de46a17cd42972fef4a2232277d471271a12cd5e13e02efdb640e25b06d2dd35377b591140fd632ed6dcd9028bcd52cfdd013367580fac83838d4e78576

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.1MB

MD5
f1b52e15c6303c58c5cff4fba42d82b5

SHA1
9ed5736cbf2fd949a9e71f730a1d7df5b554fcb6

SHA256
52a91cb19ea0876fa2be7cfa4cafabe5cfa164eed824a6239026d6c2549eb36a

SHA512
b490edcfb2ddb9fb31e77a9fdb50bed7227a1505c6fa776a527bb3c7b6880d36b2cb81a8cddf4a9a5c4c03c96f8e6eaec11a2f95ac91bbea79b1d3da7e486c7c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.4MB

MD5
017310bedb08456cadce2b73af814aed

SHA1
ea9abfe656d0c0232208f724fc405e7efe173439

SHA256
f355cd99059f148a931811993bd209a8a707706c93e30e01230057dd9718c1c6

SHA512
9ae803fb242204649f63a0ae249fb323d5d81e31488cf680b9a5bf416613f2ff370afae71454bdeaca868e6d36c1754459297b948939b18ffc8f149dd28c2b9b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
f1729b62b4078f81dcbb46980e582248

SHA1
45068befd8b6577c0337c74fc188099b68ae2023

SHA256
8af577226c88c97c64cf1c23dfa9c3804ec8b8db4a4a0a7f43c9282dd20c2be2

SHA512
03824f39725fb03cdd03050de103ddaa933bb4b0766a2b350c486a868881ec1132897d5e63d33a760d8cc34368a14815c216b5f9c57491de37ae5877947f864e

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
2623b585b9bf47dad1d091b44fd6e919

SHA1
a6dff8f6a66e582a245222554a22e2eb644ebfab

SHA256
b54b0a5f2eaea7cbb6985910881c048ec73ac26a6e92218f44b7477814b6f2b4

SHA512
1132806b525320254750d8bae1fa4ccdbb0242b9dbf0202f8e930d58a58ae745f320ec69644f5c740d7763de5b63eb3f3f7fba4a04546459b949c1feca5fbb2a

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
4360873e672608108e25561974222e78

SHA1
63f16ebfb2fa70447a6ffbcd43e1be0d57ec2d20

SHA256
85006fa3f5ab2e463c8f823603726246cd13c3d619e5a37be2ed49f0573e4155

SHA512
312235875426c026faba48b2ea1a555807897e8f66f8e7e0777d461c6c547e2adf68fb1a5eea54072ceafd3d21074a8e99a6ba4db2c6566a63d25e884a1f8878

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
dc684fa0e80a654c68346c67e26bf463

SHA1
be43c794f47d83362d0ca0e4a019e20a99a33a2d

SHA256
e650bb43c30361fa6b20a2783f97bf9025c31fd4634345c8fa53196cdc0182ad

SHA512
6fed16c3114cad9f1686fdfe71ab53d13e0e1bc646676f626e47e0df022114db1f2981cbc1baaed76557f6cb2037904c93c2b78334c1f33e702a101545f1d9a0

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.4MB

MD5
0faf5e78bb8fa25fd31644bd90920258

SHA1
ccaa425d4a577aad03c5a6512cec5f9b165a4990

SHA256
52b17cbe758921602abe45daae8de1fa742f5bae7064c461ce493530154a4498

SHA512
d532ac66f5eb0503a4558ae6af0f3e095d9ada0dccf5feef92e53785143b1b003aa619890c7c0d1074846a367edfe513a5b61c9e09eb2461b0610563425038da

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
aa3b0f3a535223aaaf23527e3dd4abb6

SHA1
2b52645bc047a8a7eb733d665f989a48f5bd147d

SHA256
2593d8380533daaff0e88d7b021a78447686c01e89684a0ea046ac95186213a0

SHA512
33037028c5c8ff099945197dcf342e215f7e083c3d335e6ee9975da320e339a4c8a61ae4a808696a90a09595456c08697289853882d324cfff486fd7bc2daead

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
b5366c256ff6c38f08d697b96502bc50

SHA1
ed328bcea7f7365e0cb4a9b2a6ec48d1664ae8df

SHA256
d491c6e6620f86e765472027966921e68f7d5c1efc3f61af7a85148244666d8c

SHA512
5ad7413501c264f7e3d396f345a3d4c5355f1e35fd207184033664389e73ea7f7fc591a9272ddeaf7c05be547d72c6d8cce9631fed39a16ed767dfbd3d084a79

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.2MB

MD5
c7871bc0004ffa4dc9ef50500ac98e57

SHA1
df0a04477ee7a297900592227584c62ce4d15dd6

SHA256
aa94aa2da52828bcf0623748a5b503ae79aa69faeee3e54de7e26823cf9962c8

SHA512
058c11b7cd52834d56a5c655620e6c2f9e36312283db04697812fd33d26015bc40067d37c3b5f4962c811d4b45914ee7ff3e34a5c5033a3d45e7b83ed8154d57

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.1MB

MD5
fdc96eeca2baec02a1cf8dd39be84727

SHA1
79809c7429e5c4b13c721744c9dd82a7e36165a5

SHA256
95fb9b0f00b211e98d2963cfe41e2ec246060ac2558d0a4a22c4cc8a1ee77a8a

SHA512
36a6f4e32ee7fa0574f5c0dd206d95c1678fd54d3ea3aa7e349dde2cd81ecea6730786a3158db933d64b6074601aa66cb13263661339bb76743958639e8a65a1

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0ea0e33ae50e378f3b9ebe70e6f42c85

SHA1
98ab1055253a0d5b6425f45df20dc2d4c8566261

SHA256
3d1eedf4a04d68c335cafc764fdf6cc006322e27769c32e4961144c005fc9137

SHA512
41d929033c0277899f7b408f05674a05d812c4c038f6e64192d6e52573917b8538b36bb399c5befdbcf47da49a6281d4b0ba8cb50a4368cbee2d550cc8f83700

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
fd45f029241c25bc1e747eae0edbafb5

SHA1
5d85fbe0e730a81cd10d9f4f45001c6eeef0c5ae

SHA256
3916606f7876be0fc52742764eb6a269836ecfad4623284569456652917508bd

SHA512
9cc3d1fdb36709751ebd98f85498a6d5f9b8bb4e5a067f8defd4bd6224007591f22d8066bc997d963fb3bfa55eb947a097f0d26972a9a1c060e2ffbc15523a93

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
1c8b66cd426d18f66be59606af4a0d66

SHA1
b3994fd0c91caf1342014d4d6a608542a35661e8

SHA256
3a0ffbee23ea197b8ef038596a5fbb5b87121feb668d5f41126bcaeea985a2f8

SHA512
3797fe541cf9167abff27294097168026c54c3dfaa4c17a65ca4de321bfec8ec214163d2168c58f10de6d4078bc39d9f617b2e698f512e3b1929f5ee4086ab96

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
e553a3792a9ef3f35bca5ecc8130a9f8

SHA1
aafc03b1627562a6fa041cd2bc306fe0a83c371f

SHA256
22c40c61a272bd97c525f13430c7be37921485ab3a634deaf734474bf52f15b8

SHA512
dbe9334921d2a1f3461f27f029681d4287f74fd19e5c1833a8ddc5eef73e8e587becfe6e55725fecd301c5af4f65439d4271593025d9362810524b6a1e0f9cd8

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
185067e65ac7d04bf58c87b61f1e540b

SHA1
3d99aaf95b256afcf519e86a4bf07980770489a1

SHA256
a85730697c53443b101a96c5e8429724276d954ebbaf53c87de8d3d2ed16e2f7

SHA512
0b18369cd9579e733a62c0557663a4f2d13a367164c95aab74dec3b4b87193f665071beab9ef496cb19cf7234e461f52d75c8d7fda686a1d4b45e89fc1f51f7c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.1MB

MD5
20d70583e2934bdb27fd5f951e2a324e

SHA1
fe3d4a94583f2a45b255ed62e53c2dd797d5a333

SHA256
f3c726570c5b003ac769b14e0094cd60195150bb0f892de0bf5e3f9a1f581612

SHA512
511e2fd443af2846eb140ae2dc919790d2827bf0dbd59b3a9d185e9d99ce4d67266d0bc01debf7d2ab3893960f5ef93bca7e79414818a43b0311941a0e0af79c

Download Submit
memory/400-262-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/400-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/400-486-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/412-38-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/412-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/412-43-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/412-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/412-45-0x0000000000A10000-0x0000000000A70000-memory.dmp

Filesize
384KB

Download
memory/620-238-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/620-514-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/888-33-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/888-32-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/888-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/888-129-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1072-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1072-490-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1208-517-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1208-263-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1212-196-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1212-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1212-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1212-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1420-130-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1420-249-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1812-122-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1812-225-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1928-109-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2088-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2088-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2500-84-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2500-78-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2500-82-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2500-80-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2500-72-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2628-396-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2628-153-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2652-20-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2652-17-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2652-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/2652-128-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3220-237-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3220-125-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-226-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3368-491-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3456-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3456-57-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3456-182-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3456-51-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3620-488-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3620-185-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3632-197-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3632-489-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4436-471-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4436-170-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4508-108-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4508-87-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4692-250-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4692-516-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5020-107-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5020-5-0x0000000003DA0000-0x0000000003E07000-memory.dmp

Filesize
412KB

Download
memory/5020-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5020-0-0x0000000003DA0000-0x0000000003E07000-memory.dmp

Filesize
412KB

Download