d3cf5c9e9605b319795c2ad4bb907f5bf35f3f2204872db79ede6134038c8fd2

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 10:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
Size

24.3MB
MD5

c8e5c76db36590cbfd4e384be88ef0ba
SHA1

47a13c95997b618c9debae357159417a5b64981d
SHA256

d3cf5c9e9605b319795c2ad4bb907f5bf35f3f2204872db79ede6134038c8fd2
SHA512

68cf0d37c36d688d18ab373cf52fc3156e93973a2aacce7fe100c8171bbf4a42b87242d404b8db424a1165faef851ef84ae1fca032b0c58cb5c930341509d1d3
SSDEEP

196608:xP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018NUtq:xPboGX8a/jWWu3cI2D/cWcls1GUtq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2068	alg.exe
4824	DiagnosticsHub.StandardCollector.Service.exe
2736	fxssvc.exe
1616	elevation_service.exe
4404	elevation_service.exe
2320	maintenanceservice.exe
3276	msdtc.exe
3924	OSE.EXE
5084	PerceptionSimulationService.exe
4528	perfhost.exe
5032	locator.exe
4984	SensorDataService.exe
4956	snmptrap.exe
588	spectrum.exe
1344	ssh-agent.exe
3744	TieringEngineService.exe
1128	AgentService.exe
1560	vds.exe
432	vssvc.exe
1452	wbengine.exe
4240	WmiApSrv.exe
2032	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5239ef37c8648821.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a24b79fd41b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000149f0bfd41b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ead3a1fd41b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6d825fd41b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004ed19fd41b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c35a4fd41b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2736	fxssvc.exe
Token: SeRestorePrivilege	3744	TieringEngineService.exe
Token: SeManageVolumePrivilege	3744	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1128	AgentService.exe
Token: SeBackupPrivilege	432	vssvc.exe
Token: SeRestorePrivilege	432	vssvc.exe
Token: SeAuditPrivilege	432	vssvc.exe
Token: SeBackupPrivilege	1452	wbengine.exe
Token: SeRestorePrivilege	1452	wbengine.exe
Token: SeSecurityPrivilege	1452	wbengine.exe
Token: 33	2032	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2032	SearchIndexer.exe
Token: SeDebugPrivilege	5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5056	2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2068	alg.exe
Token: SeDebugPrivilege	2068	alg.exe
Token: SeDebugPrivilege	2068	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 3160	2032	SearchIndexer.exe	111
PID 2032 wrote to memory of 3160	2032	SearchIndexer.exe	111
PID 2032 wrote to memory of 2544	2032	SearchIndexer.exe	113
PID 2032 wrote to memory of 2544	2032	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_c8e5c76db36590cbfd4e384be88ef0ba_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3044

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4404

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3276

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:588

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3160
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1ca56f52bd4cbc7521d520dfa9cdeb87

SHA1
71492650e0a80d8db97447e03d7e5db57aa6fba3

SHA256
23f8632e7439a7594884add524ca281514815a33e10db5af68c2f948daa417bd

SHA512
baada9ac3d295da5845fe30ba8947f0a029222a8552dedd58896f5abb2d58ca998734b94713d251131ba5fd44a288a92ab421503abdcc01c7a5d007dd17b4ed2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4e7c1a9bb56e7827a657be583fb81f0d

SHA1
62e0565f16d0bbe8eea879e4fdd9d28fd2018bd0

SHA256
8993395076a5021b3714b1b90aa0df583cbac09b8d504e5f54df7ee7dff0153a

SHA512
5a3e9f9bf458993ce09a3213d0fdb5948edcd6c27baa42932ed82a5ef9e98f925ffd49fb1b91482f42281d5170ec19f91aeb58ba50e613747d128e9e67eff20f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fe0fd8929beca0f60df83a18702d4976

SHA1
4ffcbc720474d8d4b5a78425cf330aa786a1739c

SHA256
4bc097c59a394f9c85e20100b7d97ed5f59b14154e9f2e767ed01d40a9e1e036

SHA512
04679b2edb12fbeeee1ce9d5057a94bd4d311b9adba1cf5b990796143d0c3d4a3c1e766c32f0ad9ae1e0c462e6843e2c7e0567eae29aeba237980cb3cbba14a1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4dc04c93d6619b3c659adcf24ad7ec31

SHA1
dd14c658d51e8d4fe93ecb2dabe0c57f469d4374

SHA256
ef89b1c1b382045eac305882bb86bdc1799ad8dfbd02576fc0ba50cdb1e519a1

SHA512
108db541aa1d5fba86b8250a492e645806506b91294706900e8c15f24e4954e02ff2cd58e147283f3c90d90f2f179b8b07d9f004ae17544b8ed2fa81ebc22c3e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d97ab328970c1b6ef457ae8698b89e70

SHA1
1ff9cd79e5c21a30d01946d2cc2a752617f422b6

SHA256
99a7738ea025a054928ad7d197996fe5e0a90b4b4289b161084a3d294027d812

SHA512
4f08f9f1bf2e882f74ff27e9c2e6965e24f1b37b24176b6cbf0fdc5a88489f49debbd8233895400eb22cdfa6085486047c6d5e5804dca813bfb71406f865e324

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4fe391df43b2217c8a79bdaa21a75389

SHA1
709f3c85354c0b5d8a4946bfcc96c04997da0f05

SHA256
df638f9cbddb24670e4c882fbbd5001e79b9ae18cefb7c192ae618abd5df669a

SHA512
f5022d2a7e76da196609dfd1279cb5e261f9b0ec20e9cc6cd1a461ea76a8a4b22494a019476f0d173114373da02b3b3b981bc42fbeb553f3c83e37482179c6ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9bd3d6d6dd029e5b4ec4222947e45e30

SHA1
0b7906ce8bdce4f8de4a1bec22e816e8b68e1b6a

SHA256
7504e38eb5e29cdb5f5a5cca511731bd0433c797b519e3b67bdde63693b9d449

SHA512
de7fe0d0973b2e0067494219fc6ce4848204db018bca795f2a3274e7a4ef07a078953baab9353515ee8e509b5cae64c42e29f7a730c906d155e5a127e9c73155

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a0b8b185ff631d3d3d5192f35245a96e

SHA1
50d6b38a08f99d425eb9d16f6e31526d4ff6079e

SHA256
e08d0dc4dc12aaadf28babafb3750db340a8e0dd24c2a56bf5ac48ba5035b5e8

SHA512
96f6168da28038dabb6634ba7dd981b51e7c0d810cdc37e36ece156da9be6ef546ebb7efe9ba66346e0438ee44692b486f426a19809e285d7e200e7b84355ba8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c41c8949fd34dff9f68830eda6e297b2

SHA1
56a30f30c18e2aca0540775304f2a623891b9ca2

SHA256
2b95504559915feaa6143e12658dd576873f788c80e02f4d81b1fe5201781ae2

SHA512
7494b45e0a1dba7209e6e00125fb2bdfdd488936707c9ecfb2c814e87a63378eab2d0dc6037b19bb6204d0f2b71c0d5db11d8ca27e00fbc10cc762ce4036880d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0b39b3caceb165d194fe1d7a5542a048

SHA1
be84060260bbc760cccecef042b5865198482878

SHA256
92f091854924f493f800b254c3682f671154deaf3f3aa4847c2e618cf5af9456

SHA512
4df42c7cfa814592ffc2eb3223784cb954ca2f662739f43c40b0a9536fa27ff9e26037e17eb9024bf5b00a06eec11c89b7f0d3066d4fc0defca661856ce811f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1e47320bc50a623bc3068952fb9bdbce

SHA1
95c9ded69321f9c4cc80d08ed588b284bf3f0c88

SHA256
e09015926ba9451af95ca84ceb7fac1a2badd6c1fce237e5e05d5631a583543d

SHA512
cb07d99dfad94c9f27246ec6d6e2d313e5eb31c7e6ac91dc29df95c459310bb4306503bdd97797e11e75639920fe02baba0503a65d5adaf718a0c761acd384fe

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eac4082702b34ff09219642cbf86a915

SHA1
22538ffa26b822b16b737f389ce1fc31da82248d

SHA256
74b96f6e278c89efeac55277c4c4ef0b6f887e1630f8770a392ea716a60f8b6c

SHA512
9652ca8b42cc7b7b9c2386776d3babe10f731668c307ca8ff12080c8878e3ded251ca8fa964a5c2f93e3885053589dbf951f58cfe6cb6fa49c381d190afaefa4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
49393cf2b8c4e14b4c08c92ec83340dd

SHA1
87ecf3dab0cdb0f8d2ab469b1bd486e42aa44838

SHA256
3c0ea8e50ac83fb3b65171ecdbe6ecab3ad2ae8dbacdc14b7478342de907007c

SHA512
3aae2ff2b79501a343011e29a27354ba68cee5b0498264b3f3e232e2e5efb54b63ef9e436909869de98d100c6e460b80e33d760db805fefae4888cddd0804827

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a2f88017f4e4d1130253b66c65771539

SHA1
87f870d1d2856fbc71170156738f660668e7d1f4

SHA256
828326c2d45d916a78aa7fecb48ad25e0c87ecb998bb3d2591667e121d2f16e0

SHA512
d456a717a870603c6341ebd3f811ba98d12d3a21c94156bb33da07a7e3d879509d66e8b2876cf9256a34035d3c6a665a9889313a2a4589b7625d389c28f67a8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
783ffc178121b998b827c06f76ebfa62

SHA1
103b8ce290b90eadd390bc13521b4c232597608b

SHA256
445c5adbf23681259f309406130adce75bc13a89c1d59f7878e2e76d36430b0e

SHA512
90c0fb3dcd407f4a8cd17988261d71c6fb414d037ce6edb583d7821193cacfcbd226141c3544655665e9f9a0d9e75989171c2fa92b0f3549f0bfb19c0abdacc8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
dd25802f552f44a1b8d42209a6bf1732

SHA1
e0c84ff2bd80dc1390e9e220ea6ac432782878f0

SHA256
710bd11ff2f218039418a2ac603d5fa871dc2c86eeada6a77d66e2cc428ab1d4

SHA512
2dc92862b42a771bdb6ee14cbe10aad303c945bafcc2365835c4edcc79de22e7ab12866280b385e14d2cf9aa0ce0dab3146529c547fb26c8eed94c2aee816821

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c136291be428fd0800cc010590dd099c

SHA1
bd96d03219b5f45dc09fe176d4420046cbb9f01b

SHA256
9ad70b3d9aaecc9e7e5c70f62dbdffce9d819b8d4698176677ae93fe259b88ae

SHA512
8de6a581e350630e01ff8c1f784feb6f982b5d5135cff348f7ce2fb54954333fa164144b6081feb7c2846fdb9ddef6cda28104be2a8947eb850647a99ddb56d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0808edf7d8a59c43daf9a2470b65dbcb

SHA1
40f4ed4dbb49a4989d18ea711f86128022e3fd4a

SHA256
32c75aa5656d927cd72c8f53553142e9fff75e745c24596fa9df598638fc129a

SHA512
c2454cd445b0cc5e1a5da51a7365c05ba36ecfccee9f3f3d663aaf65f69763e002e56f97d74e82678bf7a586626735b284e391baf3bfeb729784626ee9050da7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
4915b6990c1c0df0ad31539d1f5531e8

SHA1
e07c07bba35e101cfae89d443318eac074b0377a

SHA256
2e55ffcbd0268018df3f2a26b7b19732c7dbf086d11fb1bd61187009c8e0927c

SHA512
25c3fb2d737f4b151f8cd3a3e17d3b058d113a7e22244fb6848b984d51bd38385f6357b0b98371459b98bf1018d1c31a30d427c3b18152f7ad0a385c0d4e6d9b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a04ba33885bcf0aacefe5f0471e4577e

SHA1
769d4267300fb1b7d6e7f8652cd60dfb12386227

SHA256
29e71f2044af052db893fcfc4ad19df7bf6ad264711ba5fec126cb6f84715c57

SHA512
d42d0e6ce37fdb793d06bd5cc187fb1f2010040cb8a4b7f9638e4353bc50fed83d89ba203b7adea62f8d97898fc50679114ee637bd0c9c20ee79db8a4855a5d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
d16120a37e7c48ab548460a54f882a3a

SHA1
450001ef6c320c8990ad8c688b7e31729c1c47fd

SHA256
cff0a2dac3f084310f1244286bbc093a0d925872330d207f646520f060979997

SHA512
99d5129f5ba2868b582d8b06e2d5136e35930dfcadc2ebcf5c9eef3905dcbf11c05cca12d433742d83f2a1e372161bfa1bd60735cf539efa239f78dd4a82de95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
86ebac0571bcca34e5f0fdd6e0d933ae

SHA1
da5c5307f5fde13e0e498fcb692df7ad84af2210

SHA256
6493cbece220569c6b58d0f5cdaedaacc026a3f6af9d2d4491320e8dd3e23b08

SHA512
f23d27f7204b109c7773d32e1bfa05f94277599f2df9129407f859e956d7a1c295e12a3c0ba66c424f23f12a17edd020bff93d44871777e6114262d074268a29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9154fca87fd0bd3055feac6e003d5094

SHA1
4ce7d72806c1abdd595b89a5a0fabb9f2ffb30ec

SHA256
deeb472d1696f5afcffa6cf8281944ede75dbd17e692391662f96418b1002f04

SHA512
5e455f386e20a05d531ade0f60013fea2739335ab5f5aa2eb914c6345f6b8f4cc13f14cdfdbbcca935193493c760922591c927d2b3bf0ef61206a2f2bf0515d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
097e35b93b1e3c5e89af2ea9cc5a1f78

SHA1
e4861adbf708c6c7cc936d17c24045769e4b58fd

SHA256
1b53a1a6bc48308a0db2ce694ed6e4b72d6644cd14c2957809c442d8a00d05a4

SHA512
de57e5449cff1c8a05ca7809f1a99268f46c0d02ded8e12649f04aa5b4834ae34d783d2840593815860b7c09bc1d08f0a6e3e266a1ab6c586b7fbfb5dea5e021

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
28e80dc46d5d56713fad82ca666f7a65

SHA1
2e13a2d6be9916c2ac513a2db4f5e46afed7be89

SHA256
1becd527b6f90327b3105d81605f4ef780b7f16699b6d9b6973236db184cecf8

SHA512
8acfd00d4b55d55db6e2a3c6c0bb65a2c613ced8e56ee2fe886d4aba0482a1efaee715a747d9dbd64188458972820b39c6f0ef99bc876583eea5ebd27a205c98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
18cd7ec8691cef437344d9aa0084cb7e

SHA1
bd9554a2ede92f776de7b19e0b633d8280ecd0b3

SHA256
2c2cb762a97ff40b6883ec3f69f901300acade47ad0006152748f67eaf073cbe

SHA512
ba3fc19172355e97eb3218ab1fbbc16ea49802bac52b5116db14056045af80f4960b7f5e57f8062298d5252e65d3924beea67b78bd09f1dc957e27ab83e82e48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
9717d01a91a50af8890cdd9cf294c81b

SHA1
1a3cf5c11a41e2deaa2ba93e5b92bdc3d3597b5f

SHA256
25ad4d434164e261206873b896725d6ac0eb630e45a59c81b00469074463a64c

SHA512
275bd9339ca0dc54becfb9a3f84036380f83347878051895b5319ed1a7b0904a3ecace089fd7d708f1a4eb274c6b954fb5d446636ccc53855ba17a26b280eea8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
ffee253738b2b5274b89b1e5918f5ee9

SHA1
375a8e228f25dbccda5142274b36974b877e4261

SHA256
09054c9588c67e33b10755d9226153f38831a53b3efb1bf16b54e044cb5b628c

SHA512
95526f3c8c33b06e98037e6a24ee6e7741b0e9485eb3db077ba17e68d719511edbd6641445b9469e65e9e578073cd43386b0e796c4e094a9df66d14b50d130e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0a6c666b964dcf3f5eaf77e07def1d94

SHA1
1ae80d7ee9ac766a58a5542c93cc31b7a35bf7d6

SHA256
30a9faeb52658c75c132effbe31010b90406b4f9ba207e1ae22d2c61c9a7718c

SHA512
ce3d502222cee9d5d5088678ed33d5c2cf1556f2b8b009fa0d8f07142b02b23e102611f0cc986fc0cb6e56cfb5825813632e56f964a5caade496159167618f01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
d60c87901185492a211a73b04a6fa13e

SHA1
8acba3616206450a4372910503b30915f7da6d59

SHA256
ab7833f68e8300ed8d762b51ccb44e64cdd5adba93004c4a5426a46ecb08efe7

SHA512
1a1d0dfc3bcd11f1ee4be273598758f418170962d51b51feba6de2087a4055c072d7440653d43b9e43a262eca59a88b6f8820c13a247710571cc8373765c95d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
e0e90ad2fc1c6b699f35d6f6c65c8a46

SHA1
22612e57495e5d0773ed9dd4bb666fed33dab184

SHA256
d5d66ce4bd9581c79586baf34e505c854a891c2ffc60732e9caecf5390ec92e0

SHA512
2923eb0502801081a44bd3f02e5a43071cb3f24e1eae20b51ade7b38dcdc9222537105981013f88ea2e22b35ea0712fa0de6f8b0a1b5f84dd10531485f443561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4012ebdc249a91f0dbbf77c1aff2e762

SHA1
d615d1bcd6835a39542a150b72706916df686089

SHA256
1d46455abb511c17cd339a0f44881810391a26ba10fed0e944c0f676333abfa2

SHA512
85d03cdde74c1ea8db28cbd3a50623f5f749301b93bc8369ee4ca7e9f8bfc3e90c12242047dff0549d128924e0acb74280b8af257a877f2ed9df4af947d62013

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1aa5bd997f7fc6cadc995a0d4ed88aa8

SHA1
dfdb6a4fe37c80559d8a5cd42d7328a5588a50d5

SHA256
3388ed7682f23adaabdd8fe5dbddafba95562380848e19c2ad78e2062842260c

SHA512
d49ba9f9d9c28e9a34be32b3289269c61b3013dd8d39c94e30bff9aa75c6bf6364f266f3e3d40e91569e820b7e6e9efc6ad39d0f5575d6eae8cab923c2b15af7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
fb18a9ed6b96c1e23854c3a558f964ad

SHA1
f26dfec3008c8e559211295cfac76a1e4e5ce01a

SHA256
46c11e42ace14af42842f85e5bb005dc7e0c11add1f9524a6ca11b28ee7c743d

SHA512
c7f64e6a827bbdb020edac32a8644ba85e5be9425fa782b04b4b37763d38f9ac2a5089935c63cb01b57564f21facbfd22fc0bea0fb325ab5ab889970d34f99a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
aafd0e8d929ca00747255b9e9af214e3

SHA1
e537f83063edaf352ee38beef93e0a0348afb4c9

SHA256
682eb0dd8e5dc950302bc71cf936ed1bb3c7b94aa97a4682266a9a9451f39e41

SHA512
f6c2064237856be2835f41e84a2f19a8bf8d49cccbc3d880f09f02e0ee188820cb2d0f82dc1122d033470358d99df003d1ca817a948f39037a1c8df837d83503

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
350a0439698b454a044a9e088cf3e76a

SHA1
95775ced945ed5a4d2d3060c34c07ee9f24b785e

SHA256
45c75d0048b0fbf7b16636f8d71851118a09086bc771aab2466960cae46a500a

SHA512
f21be6a8f923e10d6e489c99eff913d92c5fbf1d6542bf8fb8e9ffbec6a250f685cd400ad9952c056addd27e6080bbe47e332ae0e38d690d9623c7f888e8a186

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
04ef57816b18e25cd856ae7ac755e2ec

SHA1
9dd57f94ceb0f8652eab005cd2c91f50e7e44ff5

SHA256
ece31ff7847556e2f8eb90e47bf2d6e6d611e853e3af0d988d2aec31592ec632

SHA512
56a1d30714c69d489006cce71f2fc1064269a276e2e88959db84b1d808c3ac44f6de777b2c745e4b1b4523de15f0297593ae9c3d53f79653a7f7b30b3e1d9e06

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
66661447d5ed86713afb520b107f613f

SHA1
19b7a21155085df45e89b134ca1d05b2880f7725

SHA256
75d535019c34a28a214a7266400a4b01f06c5c61a771ffba48d62758879fb75f

SHA512
9025cc4b58d7a38b13c27302c306fc5c5cadb4c13628d6534caf18fa47554db46559eb2f2cf76baea901de01442cc6ee275d25255bac4a2bc255bbfac3972862

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
16dfc662c332d76520938f085bb27fb7

SHA1
9d1340f41c2f296e7cbefee3f57d356ff2d26f71

SHA256
b311d21b930f81b249691dabe6bfd32927ac96e89f091de5183f704465f438c8

SHA512
ae6f4a93a94b1e21594474b717b7fabe7548018b1d36dde3d539a8b7cd3413fa8ee556597407b13971f55566e662ba0aa4957985372f506daafacc67b4f62cb3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0018d603c945131bcc3f2e6c610fa27f

SHA1
874efebf2b63c95be319930a300c3b4f9762c855

SHA256
e7cd62865ef10fb38251a4378bd98d63b1249d43acdc77eebdd8379b5f942c87

SHA512
a7ff37ea61bc718ea158925833b4f8caf65bc87e19c92bb57a59f818403e55827bb25cbf309fae87b44e5d5d27b5b1f11606be0516672ea867eb6ec3fc2ad2f3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7661c294c161397a0766bffa4c295c8e

SHA1
1ae1669733f9353a15f000ecc8eb88aecf4b652a

SHA256
7f053060977427ef4683743c4dfc95589dee6c3758c24b77d707f01aa8729dc9

SHA512
63dc837a24fe9a1cd98a8dc712c407eac8223d340e0b5963a059715bdd4b920079a201bf3d778cb9a781dd91538c11a085e74cd44ac4955ad5e06ac37a270c51

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bdbd364ef4e3c4527a581dc0fadef155

SHA1
b972da3093074528a8d4a1b37f7cd366531a9f48

SHA256
e12e7ce7af11697e38c520691e50e24d9fd8253919944d6ffa7eee392ad79a72

SHA512
e84dfd1c4a9368c8be303bf698ad95310c1d1e96a3eea86d1dbc80403a497627fc09d4bd3f6991651e557ce5dd314a05d31d8b96c768aa6f795b1bc4c96e45de

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6e1b49f67e37ef7cb98b4e3292480287

SHA1
e0c8e14f7c2e4bbb2ca5fa0d02366ab027e03c44

SHA256
7aa833deaa33c0436ec97cac05153dfed9552e7730c580ab04f0c5e6f73b0ef9

SHA512
5a590ff3659c719f323a85a9afeb0210654dcf0ce4b68e946e81ff1c7f83ac24a012e39409260d56922666b11644c61613680cf4aa27e06b5e9cb6095d5054b8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
299f7af539b7a12751899bc167f7ac4e

SHA1
932b8c1b44eacfe16a0b446a2881c8109b7d37de

SHA256
f2b1d1847f52617e231a1adfe3eca6c9f32f1697db2767c519d82d1938c9c43c

SHA512
b0e1ef50080372acc8639d04a829328e1ff29edaa9af3842b810660f3b5e7497557b93d0de28d8c3f22f744c662a450869bbbfd08347ea2315312c2afb4e5183

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9c90a6801d72dc4daafde25d91b0c104

SHA1
211f4f82579802153323c28aa564279f9085b28b

SHA256
b1e5ab8f39a699f8057f779f5d34872bf638333001778768f4d3f77db73a2f48

SHA512
9daf971455ade6be6f50bc30b5d033dfe6132d0a7e26d96eac98c63b1862a648f20efc06a9d7beab14116141bc9725e9b6ceb35d5052130618f8b3c0b80e0d96

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9e83cc7cf5a45d15de5e5ca58b333dd9

SHA1
cd6aeb699cdbe12612313d292c2bb60169b01675

SHA256
f75681425b180061798d832e4fe1fe698fdaa9601e584fd40f59b95001e428ba

SHA512
398fb84f8105284d2d052e3998c68322b2c0032e6807e0ee779de5f9b0e4dc2eb98b2a1f79dd7a328aaf1f8fb31851bcf0f0bd40fc23b2448cd12067b13910f4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d3d1016a32fc9ed2f6e6728cfc403a1a

SHA1
34c5101442df9f232d97eae70e6e37d72b321a6a

SHA256
f2b959ab91df866247a6203e769fc192ac8eb6f6321fd69113a69a00a768e194

SHA512
0512c1dc63bb145f9c987909e86e623e6cf0dab970ea98db06d2a9f31cf80e7c78df3c0059c2400206bf29cf9e19b17c3441ca951f5da4e941549d7b57bf460f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
df4f26a62e846dc88e4f7d5890da8211

SHA1
868abe0458aa2245f1e516dc4091d69f67c868c6

SHA256
c904e43c066dbfb552cb25ef69ec6b82f025bc5750532cb6f0d8ea32e0f95318

SHA512
cc3fe00b1fd63f6e546c42e91eb8cb9e5af4ff5444ba1e5e48bcd9c12fd63e71ddea84a3604e31e4737a6009471a3a7d1410c7d885eb1d24d1421af536c6125b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
47a6333965a8d91e2598e193cdc0c296

SHA1
e27fbf96719167caeb5bf9ab668d911cc78e9412

SHA256
69762bc79ed64accdb2d127ecbd881eaaf272092e80bd2390346213d32644559

SHA512
77e6de850865339164b285c6ef994097ec00c0e571d205dae96a61362244b87c42d5a7c55fe58f255964440464690503c856681c96c2ec80160d8a2dc399b7c2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
12d36d731db67350f720617eb01addc2

SHA1
fc2e75dc07e1bc02053df771c12fa6d4e0bbe656

SHA256
4cf5e04824ac059fbc7db02c9f384be32b73fb989063ea761d48a3844b294f90

SHA512
c0e08904159a517c511b4c417a50a4e418354be40992070523498976db0153f1afb74c087ad1df34564e077647cbd0b7265d8193d322a95622502dd68e6755ee

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c042ff1d4d2900d5736e39ed33748b5a

SHA1
df4197316e50b8d3d7389074e6a3a58866ff2b28

SHA256
4c7a6cc2a39ccd8a77aaf7fa8784ceac5204e8774b713a613b58c422fd8a9c28

SHA512
bb6bf11873c5c50ffbc9a5b0dbd5a0f3ed04ba049652852f8ac2f2232714592745cf49f27ee7f97d002f007a638188ab0fd647fb3efbfd4aac78c8c57c97d5b7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0edbb3ad30d285225f9bb09b7bb63307

SHA1
15d1d033e54fb0fac99148a3a938e9727eb92a74

SHA256
a4ce416a0c69aa3608b81ff20b32b6b9bc6e7f512d07bf25fe8c5c81d59d806f

SHA512
70ab2a45765da2d7ca7046ccd0c608853b82e8d278d615c21cb9c45c9cd299ea150b34f86a19bbe28a4d09da5a15968291d7e58414d4ec8aec65adac27888b12

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
41da64396a74c64fdf681dd429e2a96e

SHA1
d45ce16696416c37ecb395e5019564f1e79df9d7

SHA256
f1791ed50e9613d01d415211c3d051a2dd08dffc0920bfda8afe60366dca8e04

SHA512
9d3ad6b321dc8eebef114c6124038212765f1736be54d082d6477f7688efe640695957416f88f85fe58308b98c19b92a9e6162aa23025ec9f544d7d2d7857299

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6fe333e13fb649a625b34582fe4871a8

SHA1
a7b13c15009b199a77ad9fee0857ff577c389c60

SHA256
8d6220e1449818a6ca83a86303cf2df69cdf4d96d92a3a33534f3cbb384d99aa

SHA512
90516d01dcc44bdd011d2a4e869b90b8ff628abc0337160e178da5162a5b0131ba2a9f186cd5400e841c711f4e261ec996e5fc3d0ccd21387bae7253c0089c8c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8770a3d3b7e8f3d64ccf62b69d4383ec

SHA1
c31cafe141b49f202e2316345f6fcb2485af4edd

SHA256
1007c4e9567286bf242dde5595eaa9a978f1c4c676745135da4dd2bbd0b667f1

SHA512
b3eb60cbe2c90b3ca8f3288bbd6c16db54dd129644cf2d6b8b3688374980350133d6cafa86662de406df7902a91a0c71d221f86a0f817e454ecb6b8af37e17d7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
923c96985a0b8c58ce75da67305d431e

SHA1
7a43d3f491955b19406f3c5b317d61d2cb0fec6f

SHA256
31b3ea242a51d86244be9c386b8bc49ba571adf050c4d90f614927c2f2e6856d

SHA512
585145f67e56e2bba3c03b4e4ca711d45fa6de13e83f0a7ac82d1f46014163462977a50432e828ced936154505e2ed59752ec60ff86a602f3cf9d20b08121832

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
276d0ca1f37d8fe38b8d087eb5ab5ca4

SHA1
195cc0e7cbd90d01789a153e7241cfbad5fae614

SHA256
df4ac975368dbd69770d1ad285a07212613792a10ee8c41aae130b37299ba3da

SHA512
6a876f0bf7e8f66fae8550f062b22cb810e431d1a7ff9c4667223808425401b737047f6ee1c0df23debac1dd6531c809da46dc7bf510efa15440f43222b72f75

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
002ccf4ddc5bd163e140c0dd8a23bc06

SHA1
7f6b708bb7433278b17e2f96908849df8d11e04a

SHA256
6f49169506a127ef47b5ebaa7ec5ddf0a4f18b378bf3aba35dafaa0f5af32926

SHA512
8fdeb9085efcece7b9b63c3d3c8d7fb5dcedf3a43fa55263037c5903dd4581d17c4cae28751d04cdad7735beb6331704c49ab93a6afbc8608b10085e74717d8a

Download Submit
memory/432-574-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/432-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/588-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/588-468-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1128-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1344-507-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1344-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1452-577-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1452-239-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1560-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1560-573-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1616-53-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1616-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1616-47-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1616-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2032-579-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2032-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2068-10-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2068-32-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2068-16-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2320-72-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2320-78-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2320-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2320-83-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/2320-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2736-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2736-35-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2736-56-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2736-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2736-41-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/3276-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3276-106-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3744-201-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3924-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4240-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4240-578-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4404-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4404-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4404-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4404-250-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-172-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4824-28-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4824-22-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4824-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4956-175-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4984-174-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4984-473-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5032-173-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5056-30-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5056-43-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5056-0-0x00000000023C0000-0x0000000002427000-memory.dmp

Filesize
412KB

Download
memory/5056-200-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5056-5-0x00000000023C0000-0x0000000002427000-memory.dmp

Filesize
412KB

Download
memory/5084-171-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download