4e6df514660ed97776ef0cae9af57e28adc033063f551ff735846c52f4efaa60

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
Size

24.3MB
MD5

23594aa72e0cae7db5e0ab3a608f6ed2
SHA1

0b8872a7c315683bfbf87d9de90ea85cb14f27ab
SHA256

4e6df514660ed97776ef0cae9af57e28adc033063f551ff735846c52f4efaa60
SHA512

6e0c0bd5bc6eb9838b72f2fe52b497ef12eeba47a0de1b3e622178f4da220c0cda5bc010dd055cfdc6193f3fcf57deec751ad645a450d1a267a0fa13bbd52766
SSDEEP

196608:vP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpqH2SAmGcWqnlv018IehI:vPboGX8a/jWWu3cx2D/cWcls1RehI

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2264	alg.exe
4612	DiagnosticsHub.StandardCollector.Service.exe
3960	fxssvc.exe
1880	elevation_service.exe
4400	elevation_service.exe
4412	maintenanceservice.exe
3064	msdtc.exe
1740	OSE.EXE
1528	PerceptionSimulationService.exe
1744	perfhost.exe
4168	locator.exe
4316	SensorDataService.exe
5016	snmptrap.exe
2136	spectrum.exe
3300	ssh-agent.exe
2968	TieringEngineService.exe
1912	AgentService.exe
384	vds.exe
4012	vssvc.exe
4412	wbengine.exe
4868	WmiApSrv.exe
2712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\vds.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1a685e5c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089732b9d6fb0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065b0079d6fb0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065f9eb9b6fb0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ecf60a9c6fb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbbed19b6fb0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c532069c6fb0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000770fa29b6fb0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3960	fxssvc.exe
Token: SeRestorePrivilege	2968	TieringEngineService.exe
Token: SeManageVolumePrivilege	2968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1912	AgentService.exe
Token: SeBackupPrivilege	4012	vssvc.exe
Token: SeRestorePrivilege	4012	vssvc.exe
Token: SeAuditPrivilege	4012	vssvc.exe
Token: SeBackupPrivilege	4412	wbengine.exe
Token: SeRestorePrivilege	4412	wbengine.exe
Token: SeSecurityPrivilege	4412	wbengine.exe
Token: 33	2712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeDebugPrivilege	1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1424	2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2264	alg.exe
Token: SeDebugPrivilege	2264	alg.exe
Token: SeDebugPrivilege	2264	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1012	2712	SearchIndexer.exe	112
PID 2712 wrote to memory of 1012	2712	SearchIndexer.exe	112
PID 2712 wrote to memory of 1764	2712	SearchIndexer.exe	113
PID 2712 wrote to memory of 1764	2712	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_23594aa72e0cae7db5e0ab3a608f6ed2_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4784

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4400

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3064

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1328

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e6de071f81664a32aa266ac664dd8e73

SHA1
1ceb042f9b471c1e5d829372d46843c0b563c879

SHA256
934d08f5146c74809cc7a825c7ff5060e537489ea7f26ad887b2276110514b0e

SHA512
434925a0b59c019156386d04ab7307761bafc156529b1ecd9ae32e4fcca5ae11f4ee11b2ea2352021f03997f63fb0279c1f56b32fec2816c4ec114e87d58b072

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
dcbe9fdb74a1b78ddcc727d85b9a67b4

SHA1
1fd801edf97d184aa9cff6fdfdc924da20690a57

SHA256
8dd635ebcd02446e53eb1c8337f7a0197ba992444b682f58342fdb8e53d3ce59

SHA512
4978f2fe3dcd7327c3a71aaac3916d5f5e42d0ad2c54a5f47d587ef7e71ce8aeeca8a73fd5c288b6adc630f546bfd7770472479fc209dd09cb8c3ad0db9e1773

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
d858695cd52f5fba5b707bc5ca7758fb

SHA1
682d2c40c24b5a3f3ae4b01ca6d308f4203fa5d3

SHA256
fdef684ebd975a86ce6f93a96f7f88b938c8ce4c6b897a3813121c7daf0d956f

SHA512
faed54854f898bf63163f35cd66ced200a93f9140169d483c460104d600648c36d49120e5e701db6a03ddc452f44b3dbac5a17ac6fa5fd782b4082cd976b34ef

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
19e8932db14ceba3c6e49a31c4f3b75e

SHA1
1e879f74e606739d662b45b6146ac3e180fc77d0

SHA256
c628130342cd638ff1b067ddf6ef03a4d3cb43a3e8e79218ddadcfe569686fbc

SHA512
157f60e5ea1b33547f184ceec14e95584d16d88d37d0b9697a2487ac6edec9b46c43658ce9b8599b12035f58a78c647b3fb1eae8dae78ba77e9ddb5d31259c11

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
591e9fbe591693cf44702fa4acd5cb21

SHA1
6e0d3558163f7cf1f198b3788509926fb87c1e3b

SHA256
b5fe131456e0f640ffd53a2298ac6d412bb6faa5114cb6e158b9392f2b5bda4f

SHA512
3377963d23889cd750c9b85c1005ab70c7c9358ae799126fc627e2f0eefcc06c7d0497561cb45042d35cc0f9c273ae8dfc6a675e47eb5dd0ed2516fc9b64d148

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
58121d894db0110cc9b3bd4e5e705d35

SHA1
8185d87a1e43d84de8d5990ac5be321fc7753af4

SHA256
da5a75f9daacacc93d704f374dc9e65079009602d666ee3ae62ca7ddac147ea1

SHA512
a621c7ed02086ab29592b3315db8b26fb03b8aab35fb22af31e2b4adcccbeadafcf28a6707857623d4f3a3e20e25076be4d65173da561ff41f66dc27ba442d32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
c2d30b86a5b4cb1010b238f3f083373c

SHA1
b8c8c8614010fc01f6d7e32424cf630fdc718f3f

SHA256
dc82ae93acf691c567b0c0ec5f54b3e310b10e40246bc0d68311bee0bf55bec2

SHA512
7ddc7848eb98003a9261d13493930fa5c88d0abcaa358e15c765b187cdccb5389e6a17e58ccda7f62e11345328b797a73ca3be0a985f0d28e4bdc880c0d18a0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9acbee78105ec1aa8cb9a4763c155804

SHA1
010ca6a59bfeec7445ebc87b89bd5e73b776f2bc

SHA256
5b48d0830526af124f65d06e1559ebb747dcc4e71750546a89b0e98153da7086

SHA512
d3113e09548c350c2cda0515f7c532e85dd5f795be25312a9c0e36f917f5b21422d4bd80467173a8792dc37707eed54d0132022b020b622ea3c9652b5ddf7e91

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
670e3b5619a5227abe375f6e3d3979aa

SHA1
2608ed508346a76e931413d30314bdb0d0a7558c

SHA256
ab227c49d3e8af29554704c5d9749c0160be427a3467c034763a7ec0246463dd

SHA512
4fee42a981595f5616a5504764a564b1e67af9415d53499aa5d9d1fc7747a83546f84991829184af0aafec4282d1d5debd7ef4871c525960cac9827fd4e7ee3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b144e6d2e7fbfc4e7ceacfd8c92238a0

SHA1
043bd97b981c148097d3a09f7797c08e71c6e180

SHA256
dd199121fdab93b509d6a0472b92d7d1369715f0cc05dc1cddd88db6be992b71

SHA512
bdbbff4708cc6a22b4f487765ad73623a42d11fbdbe5cc0759213d543eebd911ca7d0cd8c52031e86b6faae920d5dd3234b827004f8f364e1a4f86a2f6383ef9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b8747d0b0c691bdd2b3d298f047e4c7e

SHA1
8f97652938473254dbf6fe3d7ad8c04d4c9e697d

SHA256
12cf980b2c859bc3490179446c75b6177038da8d7944a73da5a22bf2a570eae7

SHA512
2985c8284dc8bb4708963d3e179764e9c8138240c3344b2c1bb56b23816b8651f2d69dd07afac479484020650011274ab3bb90ca31b86a2f46520499e8e20b88

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e7be5c544273f6e8b54888d60041e421

SHA1
be74c43511d81520620ec16cb979a79a414c4427

SHA256
660c68bbe1cb1f08d208c99ae831ecc2c32e50dd682b03fc1dfe7d97aba2455b

SHA512
9b545827033b166390204ea1ceaa77dfe43957e282673564fd1c17d096dbb3b2157f1e24bad645d0f4c83e7f96457f5d7f85ffc3241950a4b5ff7bc2ac84e389

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
54c2c474502537cff7450b23fedc9864

SHA1
d19c7a29e501ef42c21ab60cd81b5f61c2e880bd

SHA256
d44cad546962c039743a603b9e59c79332340e22553d3c101595ba6b68aaeddb

SHA512
4bfe26c80757afb4cc02a8306d07355e9cc430695939f1c4db0749af459bfb68fe39cf4cf9259a79fd62564d091f571b605e5475b6a754d209c77c170ee18957

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
b4f06ceb7ece00b58e038036fce4b569

SHA1
90d4994cf16fb9a644523fb9beacd63ff22972d7

SHA256
cab06f28d40e6be25498094a5500e7655e85e11abffff08082460897e4533916

SHA512
eb8cf2966091c7bd5d0fe362ee0f94b54bbad7aaa02a1d90115d22af3f6ee2a8498d142ee3570b842194d81d3de44bd77f334aba13215916d7291036da0a39a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
16bf233e86e682bf5ac5f6492da16e0d

SHA1
cc4ff1f0585bb31e7d555f07a40e5096fec32c37

SHA256
7c586ba3d9af9c519029c4f781306e02f7e411343b2ed1808f8b875927fd9978

SHA512
b9e5654fa34a080dc38943281624792a74ce6b18f73cd0f3ca5b39a50a4530a57bae077637f562949b91ac992df0860586dddbf3bc6db29d19efb0461a4b2072

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0dea917b968dcb7464467890b8633eec

SHA1
ca97b64ee55280c42cd098dbded96bf4fd67deef

SHA256
21c091ba93d2e8c2e4774d0da0456c6d7353094a4c0dd847bed41c95d9b69706

SHA512
d52db6681e7cd96a69415296ab7f2c253b7fb073c6bd57d43b8718912128e01dc3b8ce7ad72f726b9baf42dbc5135a3e8323841f8fa29f3980e2885bfb58fdcf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6791e2fcbc0fb88a3cdbf74d74c13b4d

SHA1
2c493f13f60842426da201bccb9da3996832c7a5

SHA256
e2ea06dc41876b97fdde7d0577315bcbd9bd28b2781266533cd88620e98d9f22

SHA512
38040a2896ed94cf204b83da70eb78d743c9f7577673a5ed93831a32216b883b452d953b92d749c91e55cb4b34269c5e78d099a3a02a846876e9a91c38bb3d21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d71cf29ab11af7708f8ec7845c3f6663

SHA1
e7f52ca2c2d6332e265b684b6f648df8ebad558f

SHA256
66d50579998ad78021ecc3c27841e227eebd43a335b2d5ba31e47d36bbae4879

SHA512
430f8dba6709504eb8788bbaf996592ab1f87e17f8fbd053bd84980ae1cdda44513e5f40af986bfba61bda14c0e21d35c13437e2475396e69dad57d14fb977a6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
485069197b1a550181fcf0eba538f1d1

SHA1
320c88389dfe5cc6145c8376210498f3a624aa9b

SHA256
e3ebb215491f519360a5c6231b584ce2b375ca58cd0646f57e724284760a4cb1

SHA512
b642265d412aba4baac070ead0bc8272fea3461e35ad91f3cba4a9928bb568d6dc66dd784c66a45a715c9678f5cdf824ed398d3c83e5803f57a72d12a756d7e7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2f4ba6539b26fbb7db97295389d6b41f

SHA1
d170c81c5af445dbd53a205c1e7e8eb0599ad533

SHA256
b144dbcdc17cc07f45be24e713b128858d0f9dff74699e85778afdec09582f22

SHA512
8724894d6cf81570d88d68363f0214f1d2cce8120532566bf6779b33c4e4eae7cf64fb12505e7804ee7092f38977d3af0591bb70c11a91bc618d80bda3230061

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
0323ad88152014e97a47d97677ad6ee1

SHA1
9fdc65d7ab1682b93787467cdc7f4ec20f808cd1

SHA256
8a623e35ca211fc0665ea0cb784422efe4962511f3731eb2a2bd1446a528ace8

SHA512
3da4589406b75000e7d9eead6f6a6cd4b3bf180256915ff442090e2a808a66685097f0d25990a3d5a994c22c1f627d3ffcf7334a990d1129d9d2fbeab784fdaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
44fca0e6acd997aaa76e721b91d913bd

SHA1
f9167df3614f8bda094fc72f726f9202e8b871ce

SHA256
b6341317c7ff406e5998f504c217683a753bc22a316a86de2ecebe6b94a0ab95

SHA512
649f3490e335d4c0519e3983498de9f76fbe9ec241223838ae7a8e7a292bb101c7ff3d07a46f652773b566e374b6b618f18ac4b4b62701104bec56b5782c8b47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
721b20fd3d481b2145adf070e0498387

SHA1
d950ad30347b6053c2c81d9a1d3098fdd9449c55

SHA256
c9f7d5548d6b2b95e0eb86c3a05ff4dea917f65087082cfbac6afc390a8a154e

SHA512
dd4263cb4d88cfe5e04fee25d01a977c2f7e930da383ea70ff3cbd6984b8101752e5311a40ed6df03e30be16272910fa0761ad71c6d6a2ac889431116be1700f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
410a5627d7031ce5f51833e238690eb5

SHA1
df55fabf807f82d3e48f740f24b56623941e47de

SHA256
7e5206a982468ba4514a5850d4285611e91138eebde0841eb7576777a401f114

SHA512
4fd2c22ac9956df492d0f904cd20430034af846d097d9a17552c37bddb59b8eb06d8a5117cbac2c22d5b95a6dfc3e8f5bf195993f92db31f5d40bbc0adc984a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
8359efff750ee7402661116e26df10ae

SHA1
b2ed70cde9d091ccb7b324f46e77dfe0b3a02795

SHA256
6145ecf1dbd070c23cb5b4e62fa88cb087943f1984f4a3ca2def022238aa6995

SHA512
972eb40732a2c6075276629b6865ce7bd4f0ae3f631b2e9ee572e011cd9ccdec3d12064f9a95c733a0a76a4948fd1e8e115e4a0ef340cd75095994be5fb77955

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
2e4a0b59ac6b43b23f7d1fca779dd464

SHA1
cb4c02faa26c7276dae1cc19ee1b71ce54289167

SHA256
3e50e3635dd7d6b9ac5b6f3552915ebd57b98f4752faa08bf717ab9051a8f3dd

SHA512
87fc16a2b8e0b3a9390986bf8389e8358021a8ff7fbe80d92c14a40876c42b69eae8ccb58a47fbe1d83ea69f346ad14e452ef50fe78b39b5a2c82e5199805c69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
49487db207c577248cc2ecfb40ad0539

SHA1
7b67a5e40b3f1fcf3b204e06af9841eb531b107f

SHA256
5bb848c7ffa3673af99c3d19cdbec58bf058ab9b00273c18ecacb4a175154fc6

SHA512
67b67fe85b9dda757d5ff8878dec2524c855c10387b78d7d6d853af0e8a1790353a1e6f752b1fb29863a71b20ef3bc3fde60cf9ca3486bda218d8f7ca3b4e0ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
0d61e84d149352b35be10afb1330f146

SHA1
8c12abbfd8690b1a87791d769f9242a03312d84a

SHA256
906af9ab91779e696ae54c8526f464b236a84181c46192011a29c8c2722651c3

SHA512
7c186e38ae3ec79637c8f10608958a6fb8597ff03148cfd5a02b83fcb309c69c226eba52c5b3608b5de8919b034e679d14186497807350fa2a8bcb4efd8cae20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
b6e97a607f6049c432040487f5ed1691

SHA1
9d350ade54da7266d737effaf319215012f02e7c

SHA256
c62197aa8e435443a0db1b96784ebba5d7f12fb5ebd1a3392edc391ec93961f6

SHA512
0704683bc104040cbf52ddc37631d8cd54a32299d95570093e9cfd064655dc11a9a930c59097cbffb69b779af671ce88026da89edd47129506aac314a27020da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
dbc79cd7374f905ff8fe84d3525d20af

SHA1
a16528223c5f9911994df5ea1bbb05b3b920b3d2

SHA256
200afecf1b484d0a0a5cc6d929029b265b914f3de38f9bb3ab9638632562407f

SHA512
3b90630b403fced50b0fdce86ab9784230cafb6f0a148f8b69c455be9e0c1346144446bc94ce740785a5a0a8fceff49ef56e6cca93b5ec75d8bd05154bce4a59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
115c71755f4fa83eb307219c886cd6d9

SHA1
e83cac86b7c87324e03c7c631d0499443e058700

SHA256
43a88e7de9e39bc1f3ffe151e6c65ba8572edbdf928209c08fc2bab4e2b3c6d3

SHA512
f9f7d425a7056d456d8885cd911e5e3cf6870965fa6661d146daa809f27a1922400b5fe04a19888ab2ff9df3b5c6d01ff67e1259000fce12895f89eb8783b18d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
e9ab440a10c28b6ac85ffc9bf393b06f

SHA1
cd025e0bbd19bd3fdabab8aa80c91e38aa6dd9bb

SHA256
cd85d7deb429985e42a7c9d2b7590ca4dd469cc452ffbea68a589fa880a13965

SHA512
064bf9b3749d6a1a989775945e69285d7504dc67baaf8a3c75d0fb5b5b85dda8615d0127bf94ad8ff0f23538bc40235ebf1925433a0df777b09a6c42aabf1102

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
215611072fdb4ea00fa05b221db75dd0

SHA1
bae6d86759e17bd4600b968f701e7b18da7725d5

SHA256
373c06872bf645d55606334f49d78b5b9a0da2e45d39b8d88a14e11c3b5467ef

SHA512
5ea0825f6b9e291113f6f617dbe9d62e914609ca973808c403e688d85a82d9ac334159efd9261760a27bd7f0b0a96ec6611a810b30766eb1b817883979de96eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
2070a786bf76250ced3e060da1e8afa9

SHA1
65f063840ed18b92daa149592c60c7970114df55

SHA256
87b994f1b48ebc3aba855d7cd78ad33ba6b1a5551e39ae0e5d6d7772f241e814

SHA512
7ec606a5e0c3d0d8b54823c0c9c94fdb6e93731e43b1201c82ffa582a6b3e7cef948c2eb99c4f411cbd12095d6d1cd573bff9b27b374fa1d6d7ff32dd46cdfdc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
571ff4f12f1ec4681a4d4c6e9adf0075

SHA1
f0af25dede5c7241a1698d0fbdafc8dc005620a5

SHA256
3373d28925c03536ada36036e584b615bd6240af02b676587ee30a8d4646f39e

SHA512
117813868d3fcfffe3a384e8fe7213f601b76eae6c4ed728b5b0d0187903b1742648398362ba06d2d57720b23006573c42ed0298c453b4cc054734c1e597bfbd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
413c7d5858349e3ea9e76c58fee5db31

SHA1
ae873fe415ffa88db23168af5ba03d6d9e7f6e81

SHA256
0d364cce6fdd3bf52a569067e03a179a7ab8e91047ae745cfbde7506296e3599

SHA512
285000a6045bcdece19e73711739396c3e4d9ee9835b504bafbed1bd4c3153a2e611cfed9331c646b051996fdb746c255f58923deba04fc6b0f5fcc68c810cc7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
865fda12e6ad5ce0bf44502d99465a96

SHA1
12012bbb3c778c25e1e2734c6f2b87951102a1f5

SHA256
c742a446c10d43c0152b486f088b8caed7da582a1cf2d20f65252944acfcc36e

SHA512
2f07241f42cc9b19f3cc7df0b9c3fd22e444689b9e00309f19c3f701caf08bffa6c176989f10693cecbc16c759b9f4a786cadade9bb4e67e0dd563938f4dd26c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
79c5f04df6e9daf3833a54feed27b541

SHA1
fed233ee2d4c16942cf641f8fca0f45b90ca256c

SHA256
18eb15d882bc384d847d4f88a7d5f05e450e0af570cc3ea1295d47ff6e7fd00e

SHA512
307dbc8d77732736c816aca3b6898a3a3a9752485ef07bddd9c89c85ab52b805b6986c96f2fa88b90f8846c1217b7cbdff50e75e44de9692a61784c7dd0beb90

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7d74bf38a73bc6642c634944d1149f8b

SHA1
9e06b7b1a228b9ffda033bf44c0d74f6dd25480b

SHA256
72dff99eac755c336094354ade97e42bfac7956929c5aab46f0d927062ecff80

SHA512
603aa2788ff5e15d4938f69abca5d4653830b32f706a7cc78cdb380eee840af75a2cdb20cbd2ba1c1b61e1c2655d81827ccc83166eb01dd6e5e9004e2d08d37c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
03555d3a160557148ea4dba2d69e4fdc

SHA1
28886a24cc56f59aab306685daed2b04ec4d72ff

SHA256
d216120a07c0c38f8824521d26f4e329cf3594203ff0fce053af7740e860e62a

SHA512
bf433d5fc4f1c9b08b1cce8eafbc4b79875279589f89f889cfe2ef98d2986afb747f8b80f8a64347c76c23255a26b3dc6ab9c283795059836f0fc6c70eb97f9c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
14c53f74575cb390fa390466ce67e456

SHA1
e78a9ec95120e8523fe7d91c83b2cdff884c80eb

SHA256
07279fb1cc85ec3743ab302b3d77f77b2fe9206ea014def18317722273b09814

SHA512
9e48e1b733c9255b6812ca7d68abea32770ebcb98757246af7a28b4fac44a5379c1b42078c55a79626b759b75a82991046fb2ffa81ccc4f715383f6dff1bae9a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
8bcdfc9a9f32f41f1a49ce653e251b67

SHA1
42ff9035bdf39ea8965545994932b29d044fa885

SHA256
4de7593e822caf72744902dec90ae4bfa5bf587791af0af3f547ee4913dae5b2

SHA512
4666f75e81ef3bebc7c701e015c0bbbf4eedc35376ec5fd473b4fde93789e4a03acadf962a8601374fe019b499b162e1bf0bcc1fab30ad11afec4c0f38362286

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
08b39592c0a517c0790c2d7674d20953

SHA1
15fa06212996492fe6dee8f0acc69607272ca6e2

SHA256
3e92e981b8dda193970b4a591036c44a05a32e13b3be734cc252dc82c2d7211f

SHA512
80a69506e1022598305edda2933fbb51739a577e42f3bd2be7d020cef427a1e2d8796d46329fbc2b56ad4ad23de4079579335299910d164275827f278ae0d0a8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4fe211b46a55d56699860740d682d56a

SHA1
1724c699367e94e515e2d77fd9345870ad6014d3

SHA256
56445f32c48857312dca6b07f825a8c973fd9610c34d203f5b5183db57303a33

SHA512
1fc443358bf6b87857d27935d5e0745d96e246423ef214da0030007ccd7f7c16e94c27b16a8ebf292d75f54f7ff02815a6512e86a78c7e6bce011a60a5972d2f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
851716b88b28c7359c7f2b19b91a65c6

SHA1
a4daa8afc36ca4047f8635ed6e48ff9e236db4b3

SHA256
041f830e3cc9aa0182b4b1639d68667a0803d0f215439dd9d7f77572c77e0022

SHA512
5ea7e6d3ea17696765a0f9d4ba878123b5db10762a086e462c5a2ae94d2f07fb6f5f8178534f33048ee3a2e4fef318d8ee4d66f048382efd4a2367595cd3a855

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1b3f4cd7457e4edaafee7359b5f8d5f5

SHA1
c45b106a933dc958ec89a75efeb7f5b8d52de023

SHA256
5315b6770c53e255de81048f4e2ecbe80e63bd4ede5e118c2a58bf069754377e

SHA512
fd6dceaef9a53ca4b321e4033c683866a2bcea4845987132c3ac8a9f5444dc20a9fdb09e22429ad1f39eb8da1b95c6f5d214b55e4f222f89e24018c7f4b098a5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3fa005dda7e0c85504624cb3975f04e2

SHA1
af7bbb38e3d76518e5e9293cad20a4c6d6911890

SHA256
1e1b23ee38464579c5903bfc7f43a65068aaa22f0e172149c30844b6b02ee90c

SHA512
229487acb86ab1f22f6d627d08dfdc8585ab73af2c0fa816c14f59360ce1ef7b810a250d451e93d1ff64ccd5dd06be5872e25352528a130dbe2908d59de0b2af

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
cea08f535b63a76dea249827162c8a95

SHA1
2db5e2074fa8e77a9b20704af7110ff1a4fd183e

SHA256
0ad9b5837e8150b075e3b237537acfbc980a1f053a8dc9e6b4ed15d9ad655912

SHA512
20972cd45ba52a866bea5fa208074ff9e11624550d34de8e2c88a9c601417b15790deb44115d54ca2c1a38c628eb332c0c87b153ec404ca5e3e980efcde957ca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9c091ad55eab5416ac3d72372ab0b825

SHA1
4c9d71c0fd23b8f8142115509eafc6b749d3ba74

SHA256
32c8ee1de5b4c4eccec290a6a25c188fd2d244787487d4975c580d3f598bd734

SHA512
51b84797ad74828f9fec22a6a4ba91599ecbe71ceaddcb4a151fb717965e2768f5f19fb4e6581f2e52ca442355b8b111f74637e3a68184b7e4e863b2c760da64

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
9ea958c6f50833a5cf38287c5a77b67b

SHA1
d84c35862e3f2cbad596f9ef833ab2c6b59c6f9d

SHA256
feefd290df88d3214788161838153bcccebe17a9be3ef7321a7519f73181ae0a

SHA512
bae191dcaa7b0379959285d9c8b99b60b450600f6cc577f8c68dd638425f8ee453487162b6800c1b9405360f241c62724e4d4e4577e651347a43cb48384808d9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
378ae31c347531f0991e4e44841e1de3

SHA1
a9fc070713dd430e433da99ee4400f443534557e

SHA256
467dd135f4c55a77a922aaa429f58aaefd9d1d6c268ad6c03bc5efebd1b5d377

SHA512
21e12745edc84ade82bbdd86ceab19669c0c61a45f6a69cb8546bf74c97ccb23b521257cabdfcfbf34564e312c9b05bcbbb9ac93a867003078211f78d623c2a2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
1deeb6b5d1caf7cee639dc67a13ced19

SHA1
3e287ea623439927cad72b9c3521b4dbb0ebc823

SHA256
8b784cd652962b274c8fbb9439f4a60da74554b4d105e1dff145c76fe052b897

SHA512
7942f2be3edbac771403ea08f6a28aa45c12726a2e4e0d4cfe2c910a122796fdeb6ffae63ecf22f7aec3d2782820a67e26617e572298ef37b451dc2269abb00c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e326f3c27463b53979af59340663cf21

SHA1
45f7f06b63740e5b99545111154013d686e14f21

SHA256
35586cc2849fbc50e5ebf30389400d412a9c2e4c246d17e289fb6ebdab1532f8

SHA512
09f89b70f55952ae4c0886ce0153e5bb36925e34b7d7b8d46f04af7418edab4b27703488406e456ef03dd924e40968bd3aff7492ea2218a3a9cf47dd553d320c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
f442506d2c512fea3f256f52eaef8e65

SHA1
a50cf2b6c6aaa45a92968065c9def9a1238ee650

SHA256
41f0070b2cb62583605992cc2e232f7906090f2aff2a91fc554bfae7b7e140d2

SHA512
f80918c3222b7badf94d8aaf59eb1a61297956758682f510cd75eafc1ed7c214c5a0451637753fc23f20421a760e691426f0819c255b2c91433aff8f8abfd0b1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d12f441469e5960bc37b273a3ea465d

SHA1
670fb09f5cbfc8b2d76c4e4b29d2c6f708139990

SHA256
cb816980e807fd80f1e49230b64b883630f677f0797b2f3105901f8419bb5778

SHA512
4e9ae2a327613512a41085b4048a68666cfd88de3dcdad2325291adeeb24f2f2ddef8840f402bcceddd5fcdeeb7a75a97fdc22960908300fc058a35578dc52db

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
08cce3c513b00a8319cd8a02504d07fa

SHA1
43097a1562e3fa6c59ff9ab6d22a1b9a32b0842e

SHA256
43279b556ecf0394a38a048987a8f12f0ab1bd82b8524df0bd87961a69a1e837

SHA512
de50506cbdafb03aa83e2b5d3135be1859872e813ed8d883b61c622f67f18b73a3057332905c875ac1bed31af80fbce9f1e96ea406aff484a1685c3fd367a1ca

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
45c8eff3ab7a0bf4a4433f75ef434bcd

SHA1
19b08e4a1d7d307da8dec9d3e6bbb7b404fe4031

SHA256
5a1fb4e84e99d2b44a6a100bd55cdce64c53f1c037b15b20cab9e39a60a89f57

SHA512
08257e3659f981b0cc46bce8678946efa932bbafb9ff2b7c31d0ef0d328f6d4031095c739dc7ac9671045849e78cec9dcd8774602ff87d1ec11fdfdaad0e9ca6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
0937a8b95119df9dbcebf8dd7fea7616

SHA1
1207427fd36c9b1724b9c5fdc90f8c29a0a804ef

SHA256
d4264d84260f7590fdff5a425f36450656204a9a844b578cc0b493a441c65737

SHA512
e6372bc68d7cbd41adc5745c094dbe6fd9f7c7dd13fa23ea9994cb9274a493c60bd0b321c794506a5515ebb838786534a03602dd6b9493881a05ced617e97f6c

Download Submit
memory/384-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/384-559-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1424-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1424-0-0x00000000025B0000-0x0000000002617000-memory.dmp

Filesize
412KB

Download
memory/1424-5-0x00000000025B0000-0x0000000002617000-memory.dmp

Filesize
412KB

Download
memory/1424-98-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1528-116-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1528-226-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1740-104-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1740-214-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1744-238-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1744-127-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1880-57-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1880-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1880-51-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1880-164-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1912-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1912-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2136-454-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2136-165-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2264-115-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2264-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2264-14-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2264-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2712-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-598-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2968-189-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2968-558-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3064-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3064-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3300-178-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3300-554-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3960-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3960-44-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3960-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3960-46-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3960-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4012-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4012-593-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4168-130-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4168-250-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4316-552-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4316-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4400-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4400-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4400-62-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4400-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4412-85-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4412-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4412-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4412-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4412-594-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4412-79-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4412-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4612-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4612-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4612-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4868-251-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4868-597-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/5016-161-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5016-385-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download