0d3bc779cee5596f6610513abf7b743fab51be3a40edd266b74705dc52ffd564

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
Size

24.3MB
MD5

1fb2130a26933fb1b2be65d364c5d786
SHA1

8162f709bc5cd0860bf70170e66111a073f6e020
SHA256

0d3bc779cee5596f6610513abf7b743fab51be3a40edd266b74705dc52ffd564
SHA512

d76b85d3839e59446049db9c850a8a831fa37de06c9f07ddcb025143a046b8a4a93babf7b1cf4a9653803b8b49cf835d88c3e617af0c195af7adc7a09c0a8b80
SSDEEP

196608:VP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018hUoiPBx:VPboGX8a/jWWu3cI2D/cWcls1o

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2592	alg.exe
2144	DiagnosticsHub.StandardCollector.Service.exe
448	fxssvc.exe
1656	elevation_service.exe
1992	elevation_service.exe
4544	maintenanceservice.exe
1688	msdtc.exe
3224	OSE.EXE
2328	PerceptionSimulationService.exe
1616	perfhost.exe
4368	locator.exe
612	SensorDataService.exe
4220	snmptrap.exe
3248	spectrum.exe
2984	ssh-agent.exe
3764	TieringEngineService.exe
3076	AgentService.exe
3596	vds.exe
4004	vssvc.exe
3616	wbengine.exe
720	WmiApSrv.exe
4092	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a934cfb4b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba86a31e0daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000433700220daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b301a8210daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000723ac2210daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fcd4c1f0daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a0d91200daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a90b56220daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fe710220daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000326c2b1f0daeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043cfd3200daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a1a7a1f0daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe

pid	process
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	448	fxssvc.exe
Token: SeRestorePrivilege	3764	TieringEngineService.exe
Token: SeManageVolumePrivilege	3764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3076	AgentService.exe
Token: SeBackupPrivilege	4004	vssvc.exe
Token: SeRestorePrivilege	4004	vssvc.exe
Token: SeAuditPrivilege	4004	vssvc.exe
Token: SeBackupPrivilege	3616	wbengine.exe
Token: SeRestorePrivilege	3616	wbengine.exe
Token: SeSecurityPrivilege	3616	wbengine.exe
Token: 33	4092	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4092	SearchIndexer.exe
Token: SeDebugPrivilege	5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5040	2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2592	alg.exe
Token: SeDebugPrivilege	2592	alg.exe
Token: SeDebugPrivilege	2592	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4092 wrote to memory of 1496	4092	SearchIndexer.exe	SearchProtocolHost.exe
PID 4092 wrote to memory of 1496	4092	SearchIndexer.exe	SearchProtocolHost.exe
PID 4092 wrote to memory of 4524	4092	SearchIndexer.exe	SearchFilterHost.exe
PID 4092 wrote to memory of 4524	4092	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_1fb2130a26933fb1b2be65d364c5d786_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4212

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1688

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:612

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3248

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1496

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4524

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
da755553a2a1787f1ece09fb6765e992

SHA1
dcc6a80b32a09db0f4ac2260da4b920c02dae479

SHA256
b0586a059dac6241746310beb33de72bf92957dc7ccc098370fbf93e47c37e66

SHA512
def5d6f9f37aa9c525263651d251326ac05b488b5800045b3c201e2d593c83821f7f1d3eba914d36d0e98cc9d4b8703a25f3645f80e29829c9dd98258c874c19

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
d2df1545428f9c18838cc80dafb44f9a

SHA1
f28547b93ea62f9c56ac46f79b282747206e29c1

SHA256
df86a53d024fe0d0bbf47f24df0124b5d1408de51216eb18260ca280499b5c00

SHA512
08ba40eb96eb38ba42ec7938b6a87016c871dcb19479edfce3a0987a25bab17a9f328b0a7c8c96666bbdb176471f23d1084a94b9c7cd1ad446a57b8d70409ef0

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
d389ed56ba86b5fbad1e2e3bfe38689b

SHA1
712044fd1907ba2fbbde66e920dec7e5033a9714

SHA256
eedf360f4c831c83bc3bf7c9344eee0619e4a1de9a99a92c7d195383f0ad1327

SHA512
6fd81641d79d8c0e01ea2b019cdedf7ced0b7a334cd847234bc29a0da8a216d344406154e160b703d9193ca6403bd3ff25afff78bcf4ee8b6480af201712e06a

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
14e503c5b03e2d2062b1d8c09f0b87a9

SHA1
1541c5f2e61f479e08cf6584bb661dff38a2989d

SHA256
8c924c69f21f883e6cb83828da3d516f1eafc8108d0cbfa3242b6aa2e0b3a109

SHA512
c93df3d39d3c42495ed29c0d525dc1f935615db70b54d961bf28f971cffa87cca5967aa4b0b4a3c378af4ce23133eb50c004c9ef4ac09b07bea5e3f80316738b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
75550e830cedce1f2ae50b2a22cf7bc7

SHA1
79b7311711f438d765a8ab119c4623463db08e3e

SHA256
940ec8273fcb28d4f204d7aea19c1724ca79cb951c5a080cf84b472d0daf5760

SHA512
f8fb74d031cd476effc652ba50d4787cdd9af023dfd529380e94691f4d93d3b49e0b11e5bcbf84bc02687ae3534a8738cf39743915c2e7793b3b77c56577cfef

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
126f6839bdfe0c692d3eaa034249f130

SHA1
2bf17563f0dbd982cc58bcebf68b3bb40c579f2f

SHA256
50c028793c3256a2acc77c6accc83a47ab77a918acc870241c62ce10ac5f7bde

SHA512
616c3d5ece6f40ea0928b97edf7df0256e54aafc1b2c0bbb5b61d2f48d8a6c3ca7c7139367256e458e5d8452f37dea48e6371f317d2279986216204c94a71213

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
8001e789420d91cdc9f3c9c43190e0d5

SHA1
49b45093218896cbb51af3feb0a068ffa773c7ee

SHA256
bb376884d2a48ac1c064ec58ae0ab20f714fe42149c0e45b39ba9249941567b7

SHA512
f3df55f0b58630a22c3757554e702f4e79a75a95b779e978b0dfb37c17f3294b96eb083ac1e4152fda32b9df24f3652c72e61b55b241c7d9704ce4f413568b10

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
793161f3bd8b8905ad71df9402a4b145

SHA1
ea3bd4223151a226121b8679d2ccbd146354ef79

SHA256
1c7ba721ff658fb3a5fb9d0b84779cba4db5cdcd91dcd286e8808b6bbe14fd36

SHA512
a5d7206e49a7e6296c13036d05fd09f7cb81e104bf09126a446f82db83df11262d87a9b15106e881e27797a1524d4b4dbbfbf69d310d112ac37e34f874956a73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
0442e3ae734d4132cec11fcd058402e8

SHA1
9ce79ead012ed68a257c7cc3a02641a24a39a7d2

SHA256
07f5e0f452913846e86f18044b25fb423587f064926d63176cfe6fc32febb435

SHA512
427ae5843774dc609d186378af23087064a3999ff19f81973093774d4db0879150f445108c135767481ec6efe65d644315092fd9967c226fb546af900426384e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
ee3a6bff175d545b8b27302e8c021423

SHA1
7ec7aca520097dfb0fa4a7c818599c7d6ba3667f

SHA256
7952d143e9d4f4fc0bb1607b6524ccdf3c611fc9ec1e1bccf35da5aa77f0bafd

SHA512
beeb16ac6b44765e47b63b624b3479c5edb517b2d55a0ac37df0817bfffb35e6efece3172a96b0340965ebb982cf0f37f78023862d6738870988c0fc9fe8cbdb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
dacbbdb0d04b327584e76fefcaaafbe5

SHA1
844ffd922c987b87b740b0e3316ae80a65bedd67

SHA256
e90163bb57a27d59d4fcf330a9927b8970518991f121f572f70913cfe19c1ae9

SHA512
c222d1949b1297e797b4e53aea9c0577bc604f5ff75c3005ed0ce5e1d68695553966857f70564a0d82de6d473bf7d647f7ae25ca490f210583f3c01340af318b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9688ab163ed9116d84481b1b923d90cb

SHA1
5133429c4b122befae4eb0266348a67c09290447

SHA256
9dd9e4021700cb4909468586192f4b11ef6fa5239620c4e3912977911815ec94

SHA512
1846d34c1c87247695e1d23e385e1b2ce11c6f561da0908fd1deae34339e9b0b87c5854dfdce5e7493711718e8e99145cce7d0aaa45d676a3ff349575868a872

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
13d2ca54e8881bff9af742d0c9c48c75

SHA1
da4c74fb84d48eee4af37d7d0dceef024680ba90

SHA256
5da416a1c54b817be6f931af4eacfea0bcd0b6f7a10f6a375604d975460a4b7c

SHA512
f7eeec693820198ad92d03277fcebc548003970950254675547f6a73e043be970a9429bfbaea242a910ff1bacd908b2166f13db5be12350813937e5be734d2e5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
f0d9c78f87c68ce98cb45f361e8f04fc

SHA1
13d54d3ca3086ce934e3de721f8e372967c675c5

SHA256
d8d66970578d005db24f354db65aa4f48dd59fd81b206e2c24706d8abce48161

SHA512
191989c1b32dd30fab350aa9d9ee35bf66311bf961a2e5d35e9e4da0fcc3f88060d877d59f1403033e9be463058a3153f7114633449fe88126f204d284e06ced

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
2d28cc41987ffb5b307fb9c96f90d5bf

SHA1
78c29d2b6fd9d21b6fbe9eb9188d2c3f12d2a186

SHA256
81c4709134e050a031f5df4c88d0d4adb42301143096833aa5ef94dbfc5959f9

SHA512
88da13d44f391560f5a27e3db77d8b0f234ba1291e3ff4a5430ed7c36d2bff0460bcaa504bb4103521d4e46ee9f40c5312f9c78dc81479e56a1f4c161ac17de4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
cb84f60689cfd74876492006368afcea

SHA1
cf6f0642d06a659fde97ec55e47a3c4b9571f1b9

SHA256
2be356161467ebe7c80a6590623b144bc83c0b3b52f9c1119ad64305da467b69

SHA512
0a4de79ef723618a7944ee4b7dab4eae422dd5914b70d7a0ace44ab8969129ccfe56f5e21a322ef8a780b25f8ff6c108b52054c56c895d00c03b80d1ee9e5ed0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
d3163eea2ac0b7136c9883a517b74eda

SHA1
4f8879db68eb7f6980e44867c17ae931bdf656b9

SHA256
a253d89f722cdfd1b1b8d1dffb0cdcb6c879b95631d709f51addd290a1495b6e

SHA512
b8ec69ce4a3e01a20b467a6008ad0d5c12127341bb90c5c68529f4609ddfe50887c242bedd52b1a7785f2db74b19b63fd2f868ea6773c1cf6229f68594e74631

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
85985b801433338f7a29267d3e0c3405

SHA1
819c3557154df4f081053c3f18412e4ec8c8333f

SHA256
405b1e9c5a8fb0ea8d3da8475b6a1b7c34de6a76160b9f6b03da3e958fc61cad

SHA512
4e8ff4947e8a43eab97d2d9757463de9d525c300bdaba4a0836fe50cfde1ab078e272ec5378dfcb89a4a105fd736e2b24ffec5ac68482eb53f95c54fb8085cdb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
0711af68129580aac1e786f51219be52

SHA1
ef2db6abd76aeb2927bf679036acebb2183998c0

SHA256
ff80352d4c3ad01739f32d62ae86f2c8d1654a1785ca2be19d810068afea79eb

SHA512
627e6121befae26995b7475bb5f36bdd536f4be8626ddac0a2f1a0ff250bd7d5fcbe5ea7891b9064c87aa6a0170b0198bad2ab977c77f0b32bc7848bba377199

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
ff96abc7cc0a4d7f34fd1ab8b3a3d24b

SHA1
fec0c15b28897090278014853c65680cde05aabd

SHA256
02c76edb71e9fcb5acd0f7c4732c4efe8dcecf4e21f8690c34f9130139efdbaa

SHA512
07c38031d4ad49f2f0c7eda8cdf51fbb50be63776cd4534d0534bd251fbc4cddcf6cc5ecec28ebfef7771ac707b66771e0047e198a1d345a0630d796d7eebf32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
7c9abafae3f3e6e82f32cf7223a09af4

SHA1
7937feaf917925d72849c16cd7ef6f2be6f4b558

SHA256
04e7f7d47549f795e1f0145e53c9c3d2aeebf7ab264d651eda32f2ae77de68b7

SHA512
52d24eebf7051027dc0e77e0591afcd7f76a4fd7200591627fa84cb1b2cbdfae81b4b83175eca0ed869386c2740d6b0ad5bf9743c24bae9163c8ead8ff689af1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
6c8432249cda539204fb4db9193dd6df

SHA1
2338258432d237edf1e38913ce9251abd3bc8c8c

SHA256
56926f25a42fd75446471361e099f1efb702454845162e47e83c09904ab1d7ca

SHA512
07a0e3955509493681837e97db1d104e88fc3e9460dc7e4e7fc1d61166a26aa8da5296f18babb27658ba20107edf2735e0f08c447c35f2b74b325c45f6951925

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
efb0e64c84b0adbad6d6dfd90b2286fa

SHA1
61c7e0dc2a7a48902bc4ccc0db6a79ff8035d147

SHA256
7f48143cb2eaff69991156da0a35152168cf6e12d1dc879f363186bd5646e8da

SHA512
d98b1b71cb50744085192f6fe4b2aa5dd3761740e32dc07d3a0450fd99d4160d4e344fdd9e772f8df8d614562553744fbc5c0c171c6993927e7b6221f3b3f10e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
b0fed54789b4710a410524977467fa09

SHA1
0e18de6946ff096a7fe0403f9cf446926f1ee715

SHA256
07f4d4a79aceb7581b574f7d2fec653d14d9981266350478c6fad11cef069f79

SHA512
8803ce508d34501a684bdafdd808e069a4e929c186cf151752ddfa38f1a05d89f223d1e929b5395bbfa749964c5bec2ce6b4625185a3f265d7bf8cf96d3956a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
5b37722a08d55572ce06dbf0460ebec0

SHA1
eab943037b004c600d26938581c4d97abaa1abda

SHA256
96831fa0ba7a2acc55bce59fa73da663bbb9cae4b6e7aa43f3672c0ba262e17e

SHA512
0ccb10f6478a04af79e38893c9b4a3c6109e6ca1e9b54638e746f3e5b70b23ad85d7f280cbc9b96c82525be0d962e6ba100f6c002001604f9db403bf859722b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
c293fee2e03deeebe78d3f7cebffa900

SHA1
a759a9b835ebcb9dd3a38e9b5d6315cf387297cf

SHA256
6e4155ef6eaf35eda346931d611b79f73a7a81bcca862e9a4434e3bc74bb7ed8

SHA512
98aa3311616110585b6c9dbaa932994da80d88b30b15a93a04cc7bb318b2022494041071bc828fa40cd1157d2077680feedaf9012fc7bdf3222c416ec8c00ff2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
1b646e4c16fedab7f482a0eb37be6f9d

SHA1
634e631df959c66e966ec1dfc7055fc19616d093

SHA256
db0c34f553b01773989a51fa9d00df7c0b60791765711fa1d8fc4adfbd2da7ef

SHA512
18d9df6ae0d3cc897522598c7cb4084ba9625193118708cd92c2f99b753a366650172342f09340a3eabf1cfb076e5ec9e0a8abd0e03766fa0d7b1e34acfaa790

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
67ed44cb0b924f9389572d3eccaac1e4

SHA1
5b307d22fe361dd0c49dd3e842d5f99ae5d195e9

SHA256
c01eb11a39356b6b0c56dfe26d126177cb1b377eed650d6a351db85f0a56a3a1

SHA512
e750394d630f8674258a7e8a27d13de587e42094ff4c05703d95ddea86c4032e318771b89345f25864ab555d1a39fb05ced20c0e59c6a264eb238096e1d89d31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
cb2bcff27c6c9fc373e0162e54e4bfe7

SHA1
eb2aaa9a7457e69edc263240004c67ecdbd49c7b

SHA256
38d10092caeac809972ef0a5fdaa6edb40af9cd5723dd79c552ea7157a0e9b02

SHA512
ebe3444df56cd8c09895d6d39eb339103d0d9752446608b7eff5c70907e0223629e6c9177d3c8ecf1b6f829317eaa45be1069d9f31e55b566848cd70631a7033

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
3ae75282108871fc193ca8c9afe6a8a5

SHA1
5074f72eebabed1d58cf856b27a291d3fae0db20

SHA256
c015b8e531cffe93452dfa8db7cca42d0e85ad58beab60e12e91f1a49981732d

SHA512
286f7c91e63f18f2ae944468dc485d5b2b13bfe0da749c0ca7bfc21a17b7b075c2eac16950e3115f8ef7ac9388c67818644cf22f0bd1e67db694f4cea3b9e2f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
887468fb830b5c3b3f0b009dfb03fd63

SHA1
28533fcd852a6366400feadf99aab0acd6fcb29e

SHA256
05ee83ba02d003439d400eea818d5ad22409992ef72401065e384ca2000b0005

SHA512
bd8e5b25922bcdf38ce4773d4229c5e2d3266072239ffa090409ba8df8567c36dbb494a3ff817898b6116e0bb0bdd93bc3a880f28f77a9e5f4b47d02f8855ab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
ee6f2cc2ec10f8f4a91761bbdb27803e

SHA1
c03bfe46d34396e708db34ce64819fdd21ccc725

SHA256
fda9112b02594c58cf9ec11141d6cfdeab3225342074457d0c479f423b1f8d88

SHA512
705e205a3c08b8122f61bd14120457d1951f59e517ed474afa4e4cb512dcfbdc59a1f50b61c1bd295c2ba9dada096cb2ef9a86477c41291800fe644a07d5c98f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
da70e2aebed59fca4180d78c4fa1b209

SHA1
7827125493dab156cf91d4d77221705957422b33

SHA256
14cdd1b19eef6c14198fc57ab3476db8848cd61b0a16b8e79880d85dbb4684d7

SHA512
7f4baa1021fc3eb2fb1498631cdf621308f27f5acc34782d4b15e1fdce8f0b3fffe3174cf3cd70d94b91d222d5dd4d36c7c28175ee1831afc3540fb748f93139

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
d55a9c6d22a8d9d20c4848c4a9f75161

SHA1
aa173e13d712e91ca41d43d88af5d1c6e7faa2b1

SHA256
d27931ea966271fe8c0b9d1bac7dbeb64010541b656d615e98bb829dc9254084

SHA512
7a233ea3503b7a44ba9b6a376d891fd34252173cde85b926baf7664696c7f24bb5d09b0463e85dbbd0eff2de0a9a0900e5e1447435d11f678f0c080d519042e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
abd29dc7a5b0211cbb1937a8fe5b4f04

SHA1
ca71a6a5df6fbd27712a50f0528a7e06aede19ed

SHA256
42de307c08be4df85f0892f83de720eff4004cc143c01126824eab83b0799704

SHA512
8a19ba49049e3f542a47b19b9af8f074b95433d02919afe81357b04e5d3a5e3dcb35ae3a700335761ac69867212813f7f75e54352c27d619a8e8cd40e79d09de

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
978ab43cde73f12fcb12d87209da1ea6

SHA1
cc1db63f40ac03403bb504fd0b9afb73e7fbec1e

SHA256
e87010d7a4303599e4c7bea4d1de7840e0f21313f1d4f0dc52de1d589c0e87be

SHA512
4b2e03e50b235daa4975cae1bbd6184bedc426d90b44b2d8408d65657de0010a51d5f4579a93e045ef672a82041b82c3afc06b4f95c986a52665320a37ec9925

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
64878352259d487aed35c4a0eff676ee

SHA1
2fa3920d075559681873dedeb93b434e45653d9c

SHA256
ecc6702cd3362b26d4386e259d68fbbf197ac4b4716f236efa94d5cd72cb6b42

SHA512
4749ab6439d11130b3604862984bcb27ac45ec87612359951602afb8e32ecea8d0f4f6c050ddfe5b55cb32c9355416b139d3b8a67c499e9f1072e7aba575d4ce

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
c53253d705d6120f5444fd38e3581f5e

SHA1
92f1c2d7b5c6dcabaf7c0088aa5f94bf06c3595e

SHA256
3b1a469aef1725d2ccc09b6ba573351bd0d98bd5d44cd69b32857d6e58b5047e

SHA512
b41bfcd60fabfcbee32eac711785c3356945400af2631e18cdf4dc5b4540dcf37f3441af37a19095de692403eb9dd45c90e16e6a67614c5d330e7e744c33439c

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
b4cb866e0851c1b089e777bca7d0d08a

SHA1
d727714e32fc7d4582acf0ef95c3578b5f980656

SHA256
7c9905b56d4ede184334683e09c6f22d6f725a643e7b8f83ebc31d9812198839

SHA512
e635fbfabfe9398d65a754156791429e0a0bb5a7781b6a345d0547efcd2ee80e4fec43cd61a773d07cd3f968aa0a7ddbe2fb26b4226a173d45eedccfba1c2f23

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
1ce3650ff8cb216b0417b81ba4bc32f6

SHA1
051131f925208560318f2738fd199eda638c299e

SHA256
87f4b1ca7b45aecfc39e1fe74dba8aafd8f46bf57c7b3157cfe91450ad53edde

SHA512
b1d4105a45ee6c3919edd9bd5aa5aaace54b029b44d98d10523d2ffe238004dfce8569b050a38858ea6125754ac814ed69273524831fcb8e726678283ac0d536

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
83b12df0f1e03b9c1338f325ca4671ef

SHA1
e4c6c16cf59cdcf2ebce114be0eb39aa68abb6b3

SHA256
61c2c0a2d2befcd766d4da5e048af3dd54513fe31e7be714cfdfe92d560a1744

SHA512
f815b11f438725bddde9182bb3e47b7894ebf6b0cfdf7dd93e737ae009b979fa1daff79f0df6bcbebf022dfd4d9b83340f9da3581aa7cdeeac4c85d4e1231b5e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
40239207d48e6ba98e3e63cf01ebed40

SHA1
95f0b39b8dabcf509a744bc6e712bbd16d8dc886

SHA256
7e6173b92d63a11da2059100c905fdadb1edaaf524d6c8c9e0bf612e4416833c

SHA512
9740f098d0ad5a9eb76c31896acd28f5fd1aa9201109e9bdd88a97405dc0bbe194229860617ff13fd908f004e0403749309790ee608991f6da3ad3585b6a43f5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
fddffdac32d39cf29ec5fff4a556e7fa

SHA1
1af4c7f0eb2a588977554b659d2ddae180203dfb

SHA256
f29df0099606a9e5d51fc856a004fc9f6a90a472916dba56c3bfb1017908ea63

SHA512
dea329e67afbdd5c4181ff276e117a10364457162b727279699186e558572b65a09a0269c8ef40fd894536b76ad3e4a6f343be832ba1bbb10ce18281ede8cbbf

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
a329a183030b067d1cf9d0e7c9bbcc9e

SHA1
1ef11dc826f483999c511346ed65aca9252517a4

SHA256
bf86811ea4f009b936f809bf8fe4c7ea2026b0fb775a4848d0c3abbd14126e2f

SHA512
a772b28515e1121ebc48569fca4336651df210dd7b6b191c7046fd05d0964f183c1272baa82889e8d75182f9fe91d31fd4fc4a185e438fcf4d04a8e98120c971

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
fd350fb92980799387909eb4901bf8d2

SHA1
da5261f302c861891a79d7afcf7ed37c86af07ae

SHA256
95d1e9e33981892df470dc028dfbd3cea89dbe1c04408c556d7246602ebd9011

SHA512
f2be1f7bd6599e2a1011156c1fbfbf465130fae46f6074f861f9b753b8cc838e1579b63dba92a5e2e82ed45883e81354226329ebd5b399e4cf9a8096ced5764c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
f8a7b9ddd771ab1d240b7220aca4720b

SHA1
0d20437518c12ec87fa316db86b93b1459b9f69b

SHA256
fdb0bb2690c4f11a0542e4e6fd386cafee849d6d153480d899e74b2756489991

SHA512
eb8d96d9b2ec36afd2e4adfe0225e1e6f5e77af064aecd1c4bb43f2ad146638342172a6689e22b238e9990bb7bdd6e9c9043da4dd76999a0bfa033c5ad09778d

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
c9a200a69189d66be791a9b532c1d1db

SHA1
333de8c63809de71465be318199d8f3b9635fe9e

SHA256
76dd8bf388432ec7c57ebc1db06adbbed043efbd83359d580f10b56562d1d513

SHA512
0a7be517d0605dcb40bce30de54da11f4989fee0056b8a9b5bd75fee4456446f693d4a9a290e559c82e640ebd87c8d83034b5f71bd1d7723c7ac7cacba29da41

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
08e3105f794242fa22bac29d2f97f475

SHA1
6ea50f95eeed8466b1f6a1f97efc5cd328399d21

SHA256
fcd60db633a4ccbb54edad6316aa9c41115f8a730177e49bdbd828fae833ab20

SHA512
26ce18102a09d6e6af74b5092269c37b99f268c58b0c34f60808675349fd144f467c7bface2bbe4401791e07f248599d915fafe96d9de5b5b7306fff7b97c928

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
55dc73c32f5e8b2b5e1761c3b7ffa23b

SHA1
10ad8e4f1e50574cd23230eb3312a68963d4bad4

SHA256
70e2e6c8382088c5b496d15a3a3090b0eb3d1043a3415ac4a1582533ba17c53e

SHA512
cec7a806a15db0a2cc140e1892a612169824d4c53a58ab1859caca47f6d96cc0608d995d7dd58cff84f3588ab242dfb736bcea081a26b6573decc1a03a78f30e

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
da1a809c26cec1daad62e0e27a8bb586

SHA1
6996abe9c3b16e03adea1a9d963b5b683932786b

SHA256
2509ba216734184bb2fb2e0b9b9a7c1f7d7c488e6ecd8687d3515bcc0d2d3660

SHA512
5e323309fac23a5e4e799aec10327b354e938fbd55339aa40328342bf8bc938ff2bc7682facd83165dc0af00ceecea785f6df2a58c0c75b5daf49eb3270907ba

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
3dfb50cad0d524a381eb13e3112179dd

SHA1
6069bd3abadf0e05412db915ad866f2081baa17f

SHA256
9ed0d4d4087e57f95d51765f0d1f1a8cdd9f483b1dfce753b76b36c2e5a47b9a

SHA512
497d98ef46c80f7e3bbcac1b5b901197965cf628d769c25526aea915299a045f3cc19356a4eac859205c9667c4e33caf9d8f953e8bea9a7033f5c21c4028c485

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
e9dd85bb09a8cbe60e9780acaee95484

SHA1
6eaff09b3c64dfa7a05db030f57bc0d546953e85

SHA256
8886178a382cbb2b2d28f035c8b579b5a29ddcbc867df17a18491b80f8473011

SHA512
31aeb73f7e22d4d7c539ab55110272acab7d0f323b7bcfa5b98b0c6003db4c80b36207114b4cb5379c012894183f6ebfc0b8b1c274df7c33736e91766a521bc6

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
c3514dfc67072c609927a63c408f3d28

SHA1
a35682926c51e76bfa15dd01313c11f94f4fd11c

SHA256
dd0721fe82404ea015d68833cad52d122d2219a406386926284333c734dcc154

SHA512
acc768f4dfaeeb56c59c968b18a2982a212b78d2574cbf031b714d0803aaf54c323cd257b7414bd6974b022abc749bab13b4bc89c56d4063b573c995e4f29942

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
ce9ba6e9fe88ecdc306d5b764e85d5f1

SHA1
ea35e8c83813c186d27a8ea4a8548aca379ce746

SHA256
918c8ae91e28139f3fe920f72e4d5a0dcd90bf9e9352bc134bcd12866d9826f6

SHA512
4a644d13a2448a05b02c2478d709c14d0dcf2f8eaa83ebab0c01665a44be7aea194161e1676709a0b0b1d60b5068b4117edee087a1dd68185e64dbc46139480c

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
05f5126af4eb1ff4a20707b306fbeb05

SHA1
579d237fcfc0962b0b86ed3d765584ae3b5e3537

SHA256
275d068eb98f95697ca279caecdf7c81804c3bb3a48fae208f1ce9af2efad216

SHA512
94bd7a968df12f4394839074649b05391e50c928d14424b100378ea66226e326520a1cb409841eb9ebb85547a99d9c979a8be9e43d7a6d90b2ce77556b0d5f46

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
eb03f485c80ad9b10933e9a7d3ed43f4

SHA1
af599578cbe0b9eaffe781e02089ed622ded5851

SHA256
89aa0319e68167a0a2aab0119653ef0d7d9253bfbf4fc47e6c3aa0a6d481c7bc

SHA512
cc8d69a672cd142996fc7afcef6a8a7279496ecd2dd6a191c356c2c9824a7cd6193b8129441606ebda4dc212d182ddf7e50538c0a20269a1080dadd3479379bc

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
029f1dd3a55cf4e06c8905fcf9110f78

SHA1
337e93346d5894ac94b9aef27fd0ff667c479039

SHA256
a566043e2faa099464e5ae0128c487834984780c8336f9588fd8867b8fd7f4c7

SHA512
092a4e708b6dada1dc69a39355298b6ba6f3dd0a55074303b8161bb06ca6ef8ff5f6bc4d55426f573a2eb90bd6b3941d41481b2ead2e6973df43920827e3375c

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
e1bd97ee0d5f61d75f335aeb6d0e8f62

SHA1
9516b315e49a7d51fd791b458d1cf06feb128819

SHA256
ad504fd46f420fd1ff9dd3e5179b1a21fb15afaeeae9d079ec7e12e37fc8ca35

SHA512
98399e97253aa792683f5e66c81697e5bc83301dfb393c217a10d71fe42c35dcd96650881efa13a13e9e05671f59483063eea6c23a89b439633e3ee9bf878509

Download Submit
memory/448-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/448-37-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/448-57-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/448-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/448-43-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/612-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/612-476-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/720-273-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/720-620-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1616-152-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1656-54-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1656-615-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1656-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1656-48-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1688-86-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1688-148-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1992-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1992-616-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1992-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1992-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2144-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2144-36-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2144-30-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2328-150-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2592-612-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2592-20-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2592-17-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2592-10-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2984-268-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3076-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3224-149-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3248-267-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3596-270-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3616-272-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3764-269-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4004-271-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4092-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4092-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4220-266-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4368-153-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4544-81-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4544-78-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4544-72-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4544-84-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5040-33-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5040-0-0x0000000002090000-0x00000000020F7000-memory.dmp

Filesize
412KB

Download
memory/5040-16-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5040-478-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5040-5-0x0000000002090000-0x00000000020F7000-memory.dmp

Filesize
412KB

Download