1b3ec89dbc0409378043c0165c2e4b307ce0ed7c6b99713e9032a541e9078038

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
Size

24.3MB
MD5

8b3900e6ff8773bff0c6107487e79622
SHA1

12c7a9c99ad224f84c1fa242fa938e7e10988665
SHA256

1b3ec89dbc0409378043c0165c2e4b307ce0ed7c6b99713e9032a541e9078038
SHA512

f9084baac788959638ca5d51276dac54c1cf4d63aef678754b27f289ddb206c47427e751c01a4c70d6eced82151f76f69fdd1c693dc989c53ed1c866c580d1fc
SSDEEP

196608:kP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpqH2SAmGcWqnlv018DS3:kPboGX8a/jWWu3cx2D/cWcls10Y

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1628	alg.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
4792	fxssvc.exe
3468	elevation_service.exe
1440	elevation_service.exe
2772	maintenanceservice.exe
2040	msdtc.exe
4884	OSE.EXE
4104	PerceptionSimulationService.exe
5008	perfhost.exe
4076	locator.exe
3436	SensorDataService.exe
2820	snmptrap.exe
2200	spectrum.exe
1568	ssh-agent.exe
2764	TieringEngineService.exe
4964	AgentService.exe
376	vds.exe
4636	vssvc.exe
4368	wbengine.exe
4828	WmiApSrv.exe
2868	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\84cfb2ae92be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000286879630daeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000978ca630daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000130677630daeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038dacc630daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e28db630daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000219fb25b0daeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a89be5b0daeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exeDiagnosticsHub.StandardCollector.Service.exe

pid	process
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

668
668

pid	process
668
668

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4792	fxssvc.exe
Token: SeRestorePrivilege	2764	TieringEngineService.exe
Token: SeManageVolumePrivilege	2764	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4964	AgentService.exe
Token: SeBackupPrivilege	4636	vssvc.exe
Token: SeRestorePrivilege	4636	vssvc.exe
Token: SeAuditPrivilege	4636	vssvc.exe
Token: SeBackupPrivilege	4368	wbengine.exe
Token: SeRestorePrivilege	4368	wbengine.exe
Token: SeSecurityPrivilege	4368	wbengine.exe
Token: 33	2868	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2868	SearchIndexer.exe
Token: SeDebugPrivilege	1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1836	2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1948	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2868 wrote to memory of 2192	2868	SearchIndexer.exe	SearchProtocolHost.exe
PID 2868 wrote to memory of 2192	2868	SearchIndexer.exe	SearchProtocolHost.exe
PID 2868 wrote to memory of 4408	2868	SearchIndexer.exe	SearchFilterHost.exe
PID 2868 wrote to memory of 4408	2868	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_8b3900e6ff8773bff0c6107487e79622_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2040

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3436

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4476

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2192

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:4408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
7689c2505ac653bd8ac45cd93890d6f3

SHA1
03eb01e91fc8e2ac938e00bb4c4132fd26934f01

SHA256
9c1738f39e7af2ed8e9e2d933d08b1c51b8fdc01976b89015adeb58343e8a74e

SHA512
1c2ca2d6f1500bf3da86e67d9cf113d0cb45e13c8c7248a7e30ae03b6236ac44d8da14f852d6fd4a04e599c3fe3f87edd0873bca43dbc3466790a872ac049886

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.3MB

MD5
d1a4320f9fc722e497ba99baed033151

SHA1
1355c364c13f45552d82aa84464b8aa7edaa4d36

SHA256
30148dbc9f7c0128c64a20fc3e29475553713d7fb498dc01bd1765cb6862d01f

SHA512
54f2c93a8c2b2432b3e1667dc1ff82c706b63bb159ad72783912773a8ced9ce2d0943dea37de298ac5344af669f1eb9b627544fb54ddaa0c446d817a7e9aaa79

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.7MB

MD5
da8d5ef222287e99216e21e0652870c5

SHA1
ed191ff178b18eb41031794fef155c30a6c6970f

SHA256
03a0c6b267df682cb808e9fc04a62ac323223eee04ec36e8051be52025a27f97

SHA512
7fa43b40b96c43a695725509ec6dd35cb24973136e569a1a2b06ca4d77227fc6291f1751c83dd7dea1526b20c66dcb93b5399a4e53fe8f2c982ac0f4888e663f

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
4bf66dd16ecbc677cc9d2457e2730a0f

SHA1
31b8e09f4fa9084e1929060967c0161a02e41d64

SHA256
6435ffe8cbd2d27d6adfe855fd3d873a907030398fab243f677391beef749339

SHA512
ab75fde8af7c44fa1118b13d18a7322f93d525b1816a3aafa9e3cd31929a88e446876200a3b67c9f83e295352d3946b74c4a9a88f079eb385e43778e0c3a5cae

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1a9297cff65d51c87d2c5060f5fcc281

SHA1
2c4e98bdf0d785942ca1a1e57f7d3a0cf5ec8482

SHA256
05f2d8ea37d3aca170ae49ce1b2de2b07185228f2aa06356faf52d61ec3b7950

SHA512
a0a61e033acd18ce579e3837ea02c5824c5a6780fd95630cf5c3fccf7f73d40bd2bacad1b8be9b7bc09c91077eebd1e5f609e56f81f7e877f8bcc104543991ce

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.1MB

MD5
7540d084bed36b9a8d8e167d11a3d370

SHA1
a0c0ab5d938ec3f37228b05536e9aa99fdafb6bb

SHA256
1b772705a7ac9ab820aeeda9467626000f6feeb692f188fd18038af8e65f66c1

SHA512
6a472ac6ef5458963418d4be5360d5f644b7b5e7b4ae58447dd3c378527b0b97e1d9758c8979bd433cdd0afd5b20a46616c13888b6aa1168bb8e0666c12a0a92

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.4MB

MD5
d5036bbea76b8f153b92164ade2275ef

SHA1
6cf5422b4b60fca5dc27d183097cfbc8c339c1ce

SHA256
39d112f6e4fa17307ecd5245175e7d54d49eb807a06eed96701254ec6edbdea7

SHA512
99377c15d88ddcf4686afe5aeee71cb70a4419177278c544fa919c49029d4d724c2b4faeb07d5f5960e8a0e4f2a6ffc03ca8386a72c3e6b82b9d82d110d8866f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
21b70a0abec8ba32de12442917b80a3f

SHA1
55d2aebd8b7879cd411344008a012e1762163f5e

SHA256
18f008c9fd94a45de3d2eba2333ba6afa03f0053bfe2b01d3ced49844367a703

SHA512
4e578f6676f7c4b9295303484a64136ec7b0c5a96d83511ba111b48034a8cc775caf39023f8635152605ae91fb57562afa4b23af9298ae6aabf622379067ddf6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.5MB

MD5
892c6c2ec8ded1a971c5d6e3b61a96bb

SHA1
dd02cd585ffc9eae0154b99c385a2f366cca9bb4

SHA256
08f5434ea57f2ddd2addc01d84c4ff87d6004c2e32ecf114969100a01e9c21b9

SHA512
9e23c037be3c6c81652e69bcce8b098e321c54ed0743a5f2f055a8b6739ab54e07f2a1fe49cce49f1885acdc6a697149581905654d1d6193774c296ccebf13ad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
4df20c631194882d7e8a0d984bae43af

SHA1
dc64743004fb616fe33367b7f86b5dd58fce0c48

SHA256
6efd7db0c706a96f588fa0388238941d329e9a27446d1502a31dd9500f906526

SHA512
18ca063db6b057c279646a2448ea018309eaa6bc79769ad2fe5d8172333925ca8e5b0941949b96fa02393ac210e251c49c80c81552de4dbfbc72eb10403fed46

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
93e713f5366eec89e29dd15beabb08eb

SHA1
fc4c6504b31dad9acdc24792299bb2546046e297

SHA256
295015f68d891b9aa9a9efcd8c111d167c7ed7202a4bbd4f5cf45d9c2299ec77

SHA512
e984cc7c4c247529617bd58b5aa0a2f6850cce4e70f92ea8427c2fe9e4c95bc4f979df99003c931a5a3ad8d05bf2a4f1e511e1e7a5994d230a6436a3f27dcd7b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f5958fb66f2a7884a91db41b23029ee8

SHA1
21fd422b55123e36a78715395eaa953e138b99f8

SHA256
eb894f614a4d0eccd59ca45fde8fb28c6024d33c340751e3eb31688f5aa06f3b

SHA512
6b5adad81063c5a773281316344792fdc85c085352a79a518d7934c4c0e30bb2c492bf605192015a68145f90105f11f00f251b4e2dfdab74c2266d4247250494

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.4MB

MD5
3d3333904aaee4f8d32b61e2f7fd7b60

SHA1
c50efc8b43865d0fdf3c7cd92af5edb464bc6188

SHA256
cf0cf7915911eefb24b6536f74f724f9ab34da8a602e49fb44c2ce5c98bcea55

SHA512
5486568bfee42a3f067ffe9efde0bb63ce03a2bb1b31398fae467ccc58a753b44f6c8f538e15c4867e76a788537b4ce54bda0afd7a806511d35c603237ca73e9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.2MB

MD5
c12548ba6520aa76aa7de70ecaa98e84

SHA1
60d45dbafc718f42f63cd0906e4bb6e689ad50e0

SHA256
38f70f5cec3c47d1c8b1a2cd81e40cfc1d32f4b63bfe55f5b08674c32716f7df

SHA512
788a22211971c70b10aaea570f87b2b6740d0526f13bfdac39471d57ec0acca14b980f6d12340fa87efa07fa6ecce6eef8c091db11d669284cc8b52770eeca1e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
e3da3e3ca22a5421fb40648733290aba

SHA1
8c92ac4e0781c301258c81163751f36f4f9536c8

SHA256
2a9cdddbbef049629181912992757fad791f918df051488817f27220ba415827

SHA512
073553513684a57b090aa7cc6fd43e0019b3b673f921d5b16313427746930a693d642e405a28b769186e3a50621c5ef2847f49c8d524ddd4bc89a6e699925fbe

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
488a91e1fdeb697e1ff66836028eb257

SHA1
fc50c9fc9b32284b80dda3403317f72444d1d1e6

SHA256
eeb2f5d7c9f7efa90f52244e49fadf8618d7f980d21839d8b23f70ab9119c6de

SHA512
00f08840a3172eda83d676dcd88eb27bcfbeae24b8bcf9b90aefd66216ed9d845bf79cf7696f4300288d30c605ef68d0a52e9414faf224f79f5b622b9faee4b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
ddc618bdda69a7dacd2be2b68457389b

SHA1
c5b40741f1983e7de180e39e73615a87bc98753c

SHA256
e0e0a876df81ebb72d27aebe3f4b52a39012cb7c512d5b1fb9154fd41bf720ab

SHA512
77693d5115c16531d33933acc5e13bc733813d38df8e3b109a8d6998cf3c3a26185be174789ede6e11ac6405f0a663fca4ebf2a2c9f9422f58172a5166fdd4f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
4076b73e5412e0da341c1815732412a9

SHA1
fbab0abaf6ca6bf7a7dd5f6407ef63d4dcd82599

SHA256
c29f2e01e3ff495584fbfee607e624ae5b018e9721f43c1bec5421bf401c8cb9

SHA512
410dc24cfbeb0e91c86254e7dd80e147f9f8360e8999937e0fddccd44de4af73684385dc7d7f9f41361cd71db7574b0585dedc7bf4d0f6c7efd5d61b3f46cb88

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
d15d0a9d76a86ca183608b6be8924357

SHA1
c88a03a9fa8e55c86617729e57916127b33f4c2e

SHA256
6bcbf3acdad24282d090d6dab66e04c546c95b64b0b33dcc1beab707012a1ab8

SHA512
dba66007ce780952f55a7bdd494c6ed9bfaca20589b42d03892ef7ee4a2162585416290dcb07c68a7f3a9c62d4816c524daaf936b48270a5534b99cf73155725

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
e1321f96c38e45600283a6843faea091

SHA1
092d16cedb65cc111a1c9d313529f26f838cd80f

SHA256
4a5c6649508b13ce057f30c120ec7ef71c6bc9fe551e313bd98eafabd01ccbf2

SHA512
8c4e9804f824ac459d9063f79ba080720efd46a29218ba6db1d1ddf4ecaaae119a61c5b5d041ff5feedf6a4b56d1a7a87c79eabd0eb0702b732c1ec603f603bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.1MB

MD5
d790bc9c64626cd9e2c51dd79d38629a

SHA1
2264e7957b23bbe49ccb9626cc5d6f192ac8b200

SHA256
e410dde17722f3c0525c699817553b5aa8e7d584d2611ca0bd382c8076a74e11

SHA512
1a2b974cbc5a440d7f3542140923d72ae71bf77b49fcbf1c7060044799b385a66a9270c722b55c9a78c55d11962db95e2a7835ddd4eca66cbe5c220a3daf7133

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.1MB

MD5
70f5577ab1a8d7369245c240596ee0bb

SHA1
af1b70e22d4bd7545f1b4e079340f873c713f3d1

SHA256
bdd040f7f503e9b9805cfc515c8b6d2540ae1b2e8829ab4912f7dfedabbc7b96

SHA512
036f25faff9679aeb38a75c3703a1aab6ef2f6035471629ac120a0a99c602c48c8681ccb324d1611ecd71b9ec2ac55f3e9ef09e5b83982cca8d1396972704b13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.1MB

MD5
b70d516bb1511a577d79d8fdf449eafa

SHA1
d8a653d0c40f4f62bbf36aa7df1cd56b2360905f

SHA256
5158d48eb6c66867b8d677c94f5b1a36df251c3231e261bc139beb4065d50fa2

SHA512
a56bac88e0ce38e3f54af4515c6a3ba0387d0ebbb1a625c3de24f11d9358b2067555bc0e108602202369852ed2335a06b40845ab012d41c3e2a43a317c9576e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.2MB

MD5
7ed722e64a6f75e9543d9186617277b3

SHA1
1e96794409fdae2098540ba3a3b493b0f2eb0457

SHA256
d7793fd7ec8ad81195dfff10d8c7982313fc997d16245c34c4e2f67bae85ffd4

SHA512
fe40aa6aa10069413d24123d28ad4d692ab8d5472063b3db69b478e514a8df97aedcdc8479d62898fe0ee28f8c19b556bad30fd70f84b9fb6f5f90c7f4dbdd57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.1MB

MD5
70d8bcbb4fbf81f86c44a8ee351f5ce3

SHA1
d4212f30104c4a31c2887af62acfe5916de35c51

SHA256
2c9863c8504318be2b9800ca3615379fedef0ae180417d42abe6d812473dd004

SHA512
7ed494ed028317f57005df28da494758d3485b5177cf58300d60451dfeebc69e6bae845df69004c95542c44bc89b8dd4e60b7c18f3b0453d046c96d15f47d118

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.1MB

MD5
cba970ede489ad22ec57986fe05f6ee1

SHA1
aecc9bc314be2664184d956476ae98857aaf39b3

SHA256
014ec064f5128a5920d57b0b5f42844acefa01c20c9e43fd6ee3c7cdf50241b8

SHA512
a5ef70c3a819d8b6eea55183e43c57718fa9c5d9537ce74287701d41ceeb0c73c0d5439062c7168e701ef1575e8f4c25d234a5a5a8fc7d58932115e396fecc10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.1MB

MD5
9c4d4a3190aeea209579ae1c6f2f95d3

SHA1
5531d62b0d3e5b26db9fcc5029df1e08f6325ce7

SHA256
bb98235685096929c2e74f2a0456603b8e2f0fc060c37b972385215ac37300dc

SHA512
a30af2eda64afe0e3f8f2f960808b0666b280092dfe71984b4188991bbd89e78c3ea4a638a115e4b0c3b561744d114d6af2286253369d1953b5aa959abfcd7b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.4MB

MD5
2445d8091fd6bb4c6980e158fbd9f87e

SHA1
66184a247c9ecb7050d3b00d8ea63368c43d2f61

SHA256
8bc7ea848dc8e85e99dfc89f1c1dae46763be977414ddc71dd47ab9894897e74

SHA512
883a44451332be5a5d1ed02e604affb6e0ae1ba6e5cc04cbb9d29f159059d3907e0f71df6751fea7cf3ecb0ef5a7bceb859a2e23f908fee688bae2b73970860e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.1MB

MD5
491de44108d715678a1d1ae3fa108404

SHA1
0fba5eeec58e34e50ab914cc0a5bfd8ae7fca1dd

SHA256
bb23beaf8c138f78de9998c478b9c3ccb9411a5445dde42aa3e3d99af61aa63e

SHA512
f35baaf4500914d5d80d5bb90ff4eff872ae53a2ffaf00d82f432a0763794199d2508d5359ac092281f89c3882861bd1dc46baf4dbd6810262399c54683c3de1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.1MB

MD5
83dedac904c2bead3a10b4a23d4c7c4b

SHA1
784acd51c0c8f99d627d57ff560c69b1871b3e32

SHA256
566e9605ea367617a41af1e12eed69ad149c2535d74b415383584c1f1c8b3307

SHA512
bfe2eb993faae47dd286b3391ee9428e131af87cf96e6622965e50e06fb69733d05bb5d8098b1e68ecdc871221af35c5e23fa4c76afe501f79849a73cffb5e65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.3MB

MD5
4fa232c9abe9aa6ea6aaf98643f29fa0

SHA1
6889c073b38fb22d82bb7c7a6d1011c3ace6e159

SHA256
d3b398ff4c7e7b97509107a359f17cde68bee778d290dcc73cd263773716e899

SHA512
dc74ee067031293a39eb0ab4cfb396f1ca223b2d0eceaaabe16da6b0986d3e397f113cab329379010ccb42c41e9b7477e81d25986616505f8f588cf47d3949d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.1MB

MD5
c1f374887d27c935b1b4c50ccd4f223a

SHA1
8d27ae3116cb5b629c0a633f4ef6d5b5aa6c37f1

SHA256
6fa5a7918a367b7979ce187a4bd420ad0711ac8bae88f249e6e187a9a011d0c1

SHA512
fb4547d457d4bd947a8a3eb7cc44243d0f4ef917c4ec54bf77ec9528095da3f628ba53232ec1c3ad49d4652447a416b1d283fe8aa1a59d71e79322e05fd74b27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.1MB

MD5
ba93f6648a3aee7725cd6be1b8a3b4c3

SHA1
dad567332849ecdc22a313090d83b8a8c5e4376e

SHA256
9674819ba42538294d0852b1c2f72b258f0ade875d9f6b4eb9c84c32a67d7420

SHA512
d10bbfc37242e2690c62c22c1b4a1dee436cec854b0d06b5afff4c102ad56c02ce6e7944fefdb20891bdb10380c12c0e522f725b4d7dd6c59292c90fb5bbfca8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
bb1e80be13bde3c7f2e3f818cef79b07

SHA1
c021b884cbefcb6705cd1aa32f3e1be23f874064

SHA256
acb4d3277dc9209e5862717c817f06590d56977a4e8fedb0710c6fb08dda9ec8

SHA512
7cdf88d68c028c6358e5be720773de5fa6d41c2bd7ca311a2060fdf7e65995d42122533faf904676e1c85584bc7997bd83e7ce5cd11f58350cb4b0bf4ff3bda9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.4MB

MD5
1cf47346d0e514f3a0f9031eedaf63d0

SHA1
30ff722f6abb0d13f542923a9e2becf1a7c76b3a

SHA256
51168127365784aa3104ce447c966db59e1057267ae99865bb092f8faf4d42f0

SHA512
7e4416ecbe3a7f86b41ed1ee518dadda3e0f3806f7d6b32474b34aab330f32d4582dec3466ca0b1b402295ca667b936ed30a930d13434c991813a3fb0d9f96b3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
eae31e5d8fa4c3189320f4e6f792e40a

SHA1
799badc0272f268c91d49add4d8d0efaac762ce6

SHA256
47bda773d66401c7826bf52bc008d1c1d76ef492e168ea5999fec46277c9fe06

SHA512
732d7e54c423c5dee5efb4bed2c538cbfc882a067b0a3984909ff8259fd2bf6c278a1b6402979f0a5a408254696cd15913fea65a081ae1d868f932d6c99fc4cf

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.3MB

MD5
e6daecf4f313a1aa9628656d0dd5a021

SHA1
60c94c0ddfff192a22064133be0176d1ffa2f56a

SHA256
dd7c88fb9666c45c0bfc14f98a21c11bff3fd8ba8845b56b85c44edea50beb11

SHA512
605c7c5c9ad9169137e67e43a72f7046c8824b7be1d5aae2cc3a9e8db8844e73a60b76c4e1be30360da024baee1915c25d2cdc363686343ff1ee92881b8002d7

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.1MB

MD5
7bf3d4aa913f7db21b6bd531b3b30a02

SHA1
92010784db95fab377444d94a2710b8508046615

SHA256
b49fb9da7de409cbe74273d701feb845c3a6b97bd4b9ee50f3f75c7402788e24

SHA512
faf0fa22324eca949f41c70219ca2e61f19cef224b9786b3249327eb54b2865babd1f18770e7659b1451b51fee19ccf10830a332b69b58972f386c855d5631f8

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
76110d11132678916515492eb058d867

SHA1
b7159b51784d8c0447e6341e021344527a614054

SHA256
ccd31985f777298343f0649678443f164ceac74606a0a773da13597096c34d47

SHA512
a81558bc79d13f6a75bd6cfe97e704a4b7f706fd34f3833858f5ce4687370ac2bcc2ebfbb1d6f52564f18b765a240386119429f2d9d034b6ee4df82736ec04fb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.2MB

MD5
a29f6682552a98d677e533af1f36c2af

SHA1
5165ac5335773a4fe3816335457e385c68af9c08

SHA256
9ad8d57f0f404d18dfd4474dd98495ac0c9c1a0154689a05287ccaa7f9bc8ecd

SHA512
baef51ec98f22b79e190e5f18e627ef9c792fec3488fcf759a39aea9a511855e43cceba52ecf2cb98098ebf941133df29487686d6adb1a6b98f7abd2b4e21422

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
e9ab015fd1dec27f839372a565263d09

SHA1
3ac0c546040fa2f0d90483e59e29f7e7c02267b6

SHA256
43c44e86b7ecf43fea1821f7cef24490cf4a333bd432bbc218ddabbf012e290b

SHA512
a29bab4504258c139be2a0a9570211a008c0f2d7ea1e6f20a8bf27788fc14af663bdd2bd1987c432e815b55c2e8a1ec013297fc619fa6661dbad817d61d62417

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.1MB

MD5
d8020bec86e096d99613a045533cdec1

SHA1
bcd61ef75e195004bb993a8b0eb0fe92a343d128

SHA256
e52df8fbc281ec5409f800994bf25e827aa7cae2a4f7e2b5bf32d69f257dfcc8

SHA512
ad6cc3d6a4e26f1f02281867ad0e9bb44cca9b223e126c842830c213bdba2115f74857d77566f15fc43f40c39fbcbdcaa84d80c6a0f637c5500ca021405eb4de

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.5MB

MD5
f39f5d7b5937ab0f8d5b4c42913bc251

SHA1
a530a23d6ef7bf939efb6e735e676a178ae19708

SHA256
e72e865e304e83fdcc7fcdf22ac06edc06dd4140246e71cd813ac8438713a453

SHA512
0523b96b19972947857ab114fa209c00ca7044d21e10e06729a7fddfe98058d278ab2cc175f7111c43f6e4a525fd14bf1f5cd51d26f9171b251b4cc773a3094a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.2MB

MD5
18998333a693db15303a43ac9fc72640

SHA1
4c865f0d83a96aa645f91543ccbc4e3306019979

SHA256
c5449ae2bf33e87507c95404f66dcc5da2a099416f698918e056ccc3f543fb2d

SHA512
f0ba3ebcd8d24922de532034858ee58485e62cb85efd0c7104003f2aa7e30255608f44aa84a55c309e951fee965e546491331dfa19ce1f1a48f5cbab981d2416

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
ca55c69ccd7281676346a0e8877ee9b7

SHA1
e2eb62a69019b4418a07858fcc32b972932f4d3f

SHA256
2f0aaa1ffea3045695c283b49d9c809096467a7926e01803a78842314d8cf37f

SHA512
9d7f4a5b3a94e51236dc7f8f356d194c3b93714a466bce4d586975ff87fe8210614fe6e2437a6d825081221a2dedaeb3f33528454ddb330b970df9fc40a9cc6b

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
d2a8537615f5f2fdc5f31f7c419dba14

SHA1
cff7f3469d9e186716b51d69a83d97c7269b155a

SHA256
0b983054a1a875335a2d64c7a129cdd1cfe56ac9a3176e2af1ae0c20e569e659

SHA512
84609fde7b01bdc614dc486085edcfaac68ff29de0bbf946c6d82d178851ba782ce5a03358b3326c0e5ce3c07093b9dc6f1bed0f0c9ba05eb73a484988341dd6

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
4386f2822af126ab91950bacecdc6c59

SHA1
dcf607f0f308a970ad03dda917a0200d493a6804

SHA256
6e1c88cbba4402eda76212f4fdb509d88e155056d6de77f6adaa5cda13d23561

SHA512
89808ded8e0bab0c5a855539283f43934b1c3e56178f7fc1fbf97643b46328366bf061a43b5fa4a42f715ac3d2c5eeb6031db718f3f3e168dd02a63361ed8a8b

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.4MB

MD5
00673bb4096c3a0939e5d8fb9ee02e8d

SHA1
a39f6a696ea83ce43398355a8bfb3825c5a9fae7

SHA256
af92dd580a143e3c03fd94f023f1966e45a851ae89257a40d401e974aa862f1f

SHA512
5f289b5836b320fd0200d5318bc15f67da5ee0ce3e0fe8cb082c924b63956bf6772b4baf46d695cb1b07c08cbed69aaa71e9437e6edd13d6f9e608ef0637d247

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
8ec10501fd17e7300d5fe491a1442f54

SHA1
658d5c02a375055a08e52f3c9f0513901f16b045

SHA256
5dc7a0db4592dfa3878f5388fc1c8e1cf210fdb2d38f613716da6cce51365afb

SHA512
de1b77aa97dc6e150f4ce6e239184bc11816ebd00f4fb42fb838fd2e8f76c579bc6c75a1b00588519dd129778792e239bc2c31a2130174dd6c066f7b8a8ca648

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.2MB

MD5
d32e486acbf9451dcc3b3323992991ba

SHA1
c4d60fce43ec0acc20e5cb9d9cd9422965adaff1

SHA256
411252db07c0a04560a1b0aed743ce6357f57cf02231cc9110f8992c31ef6372

SHA512
fc82b6be809fe3525c0dd8db55e456847b791e9c196f81c5866606e2b6d9cacd37c246088fe8464dd94e6354e3b645f38212cb5dff9d19f781837296e9fc3283

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.3MB

MD5
37fbdc7fb19c7db712aeb3ef259fe5f3

SHA1
bd713e2112c59270c9fd9ec4d0696605f0ff427a

SHA256
2e1a10e9ca0aeb0c4d7281db8d9895b54c2af4bfea3fd40b04d4d54cb01be6ff

SHA512
5a0c77de3fd9dabd3a50bf6af97eecf719b6eabfa2c8958d4ea973834d2f656a6952d4a8e7acb334a83560f8f4a81536e9be397268ce337acbad7e6efdfa0d61

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.1MB

MD5
bf69970abda38fa238292cf3740a7789

SHA1
45a0f19e1479448175908a1b9feabfd941f41b6c

SHA256
50970027c0da3ce9c54a46691ea79c74a5ef049ced0f3ff06e879f0358b8b130

SHA512
42a03ebb5dc1fbde00ca5cf67045fba367182fadfecacb3155179df50d3cc022290ef7fcfa60ec42653bc1db9c5a792ad91caac47cd9fd5916bd177ddd85cc8e

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
fd27df91cd9553d4fc2b3382bda16a46

SHA1
1786aa8b1e8357b8d823d771af74c2d19c6f39b4

SHA256
6de77ad1d446c7d0afb839b3e81a63fa08e3be822179dfba19346f6471fbf385

SHA512
c48378ce7bfe5fe5a012f60d0638e495eb5fffd6f4f17d0a4e646b9c5f163f061c5ddcbd85c4b907ed2b3a969afdced48ec162f7193fe7129bb890c0089e0d1a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.3MB

MD5
51dada4a725aeb00ebf34568aa090353

SHA1
bb3ebee89f07fa8bfbe198fba6932c66425dbc86

SHA256
1160cae8a0ed80882052b6d680afded1a2cfb1c05b44dc5ab7cadabf9b629b8b

SHA512
6ae39245270c8bf90747fab4a3594bfcb4e4f0d712347ef7da8d6f4947e63de9524641092c262ebcc6c54b39446e2cb2f057dc9f950d915b375596de711f61d5

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
bc0091aae6b072d1ccfe55a0796d7d01

SHA1
9ed5e2b61b4818e905c14dd7ed00cec55be51243

SHA256
77df4d6d977cc03a48fdf6d72eabb226e28cd001324dc4b658b8c22327da580f

SHA512
08e6baf2bb3537c6d1328e226f2203337d8515e08f671a2d363c22f10770439554b4475baf08a2f70a905197013faa7c06c1116da1803cfcb22b925def87b260

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
b813ce08b2afa3b3fcf4cd4de9820b1a

SHA1
85d34ac79bd6c2bf02182fbc12e5f1c67f034245

SHA256
335d75e7dfffa82b310afdf70244be92d35fb36891c39b5a423e395aa70ea313

SHA512
8ad70dba92f7698221668d3f847315bac0a01e532c9e635548bbba826b7cabfca2ce2ceb653740ee14b2000dec6f2d10e1c0837f0ab9ae4fd661e0d031c021ea

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.4MB

MD5
d11482ee65b21598262d7c91f778a2e1

SHA1
845bc94e36c88fe8d08bd7a987066c9e972bd5e0

SHA256
a538bf1f9aa9eda4b97e832b7399d390c358ea19cc5db440b612cb6d9c5cb4ba

SHA512
41fcb2a107bbc70a05abd93490a430469f66a71d66d27394f928a61cccc7b5327604db24ea4de1eb345bbfcc10d9d19b1edfc3b9cc5a677c4135b153be1271fb

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.2MB

MD5
7357e41d294c5a084ed9287006c72c94

SHA1
ef595737b774f34cc00fc30cee4ac81a1ccbf878

SHA256
2159aad163b13912958188548f9e7c4344a9b3368c5a0b071d49f647dde8f752

SHA512
24c1b63e823242139aec80e4c5ca54e96f204dfd8a6701c3e24b50e46623f105fc5dc4df83462ffbd5c8572dbc3b5ebea5e007f92f562f23826782b686f9d4b1

Download Submit
memory/376-150-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/376-384-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1440-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1440-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1440-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1440-142-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1568-381-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1568-139-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1628-11-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1628-107-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1836-79-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1836-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1836-0-0x0000000003C70000-0x0000000003CD7000-memory.dmp

Filesize
412KB

Download
memory/1836-5-0x0000000003C70000-0x0000000003CD7000-memory.dmp

Filesize
412KB

Download
memory/1948-21-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1948-15-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/1948-23-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/2040-81-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2200-357-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2200-118-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2764-383-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2764-143-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2772-65-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2772-59-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2772-63-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2772-53-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2820-115-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download
memory/2820-285-0x0000000140000000-0x0000000140128000-memory.dmp

Filesize
1.2MB

Download
memory/2868-439-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2868-166-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3436-380-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3436-165-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3436-112-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-37-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3468-130-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3468-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3468-31-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4076-108-0x0000000140000000-0x0000000140127000-memory.dmp

Filesize
1.2MB

Download
memory/4104-94-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/4104-92-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4104-153-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/4104-86-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4368-158-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4368-435-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4636-154-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4636-434-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4792-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4792-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4828-438-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4828-162-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4884-76-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4884-70-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4884-80-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/4964-146-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4964-147-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5008-103-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/5008-97-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/5008-98-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/5008-157-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download