04051ffaf3810a46d0a20d3813725f388fbc68c7d9dbee664844274c482666b8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
Size

24.3MB
MD5

169a0fda24fc60eb1933694b4e31bd1c
SHA1

77e143ff1c37a7667e5282499ee04f077dd9255e
SHA256

04051ffaf3810a46d0a20d3813725f388fbc68c7d9dbee664844274c482666b8
SHA512

1d16569caeb27db1f9b1d6b4dc8c19dbe2ea98049c15bc29701c4a2b97a2f15f9fc012068124d0f8285f2df2a1856beef9bad1007f216c20cfdd17eca0d04317
SSDEEP

196608:XP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0189UoiPBx:XPboGX8a/jWWu3cI2D/cWcls1g

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1924	alg.exe
1496	DiagnosticsHub.StandardCollector.Service.exe
556	fxssvc.exe
2000	elevation_service.exe
2036	elevation_service.exe
1556	maintenanceservice.exe
3624	msdtc.exe
4504	OSE.EXE
3920	PerceptionSimulationService.exe
4824	perfhost.exe
1612	locator.exe
3964	SensorDataService.exe
3020	snmptrap.exe
3520	spectrum.exe
4276	ssh-agent.exe
3528	TieringEngineService.exe
976	AgentService.exe
2796	vds.exe
1288	vssvc.exe
3256	wbengine.exe
4404	WmiApSrv.exe
2740	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\29d6f9164a48edc7.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d8e8983d6fb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004301f53e6fb3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004301f53e6fb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7a0b43e6fb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f001d63e6fb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021fa703f6fb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cdb093d6fb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb77263d6fb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d16ca3e6fb3da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	556	fxssvc.exe
Token: SeRestorePrivilege	3528	TieringEngineService.exe
Token: SeManageVolumePrivilege	3528	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	976	AgentService.exe
Token: SeBackupPrivilege	1288	vssvc.exe
Token: SeRestorePrivilege	1288	vssvc.exe
Token: SeAuditPrivilege	1288	vssvc.exe
Token: SeBackupPrivilege	3256	wbengine.exe
Token: SeRestorePrivilege	3256	wbengine.exe
Token: SeSecurityPrivilege	3256	wbengine.exe
Token: 33	2740	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2740	SearchIndexer.exe
Token: SeDebugPrivilege	3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3276	2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1924	alg.exe
Token: SeDebugPrivilege	1924	alg.exe
Token: SeDebugPrivilege	1924	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2320	2740	SearchIndexer.exe	112
PID 2740 wrote to memory of 2320	2740	SearchIndexer.exe	112
PID 2740 wrote to memory of 4168	2740	SearchIndexer.exe	113
PID 2740 wrote to memory of 4168	2740	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_169a0fda24fc60eb1933694b4e31bd1c_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4056

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3624

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3964

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3520

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3524

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2320
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a115f812ead1cc68ee2a0226034f45c0

SHA1
c555c8b1ae05ab7a822c2416b60d1ee1c75dee55

SHA256
23f3f82beb69394053a4630b20268287916f9b16d2ba3a451f3be691ab8b9adb

SHA512
7ae8a6a0d4821177bdbae1f8c8b7a5ce2e5e5f35d4eea55775803f325ef7f24e99f58f5d2b195525593dfd638ca410a23cb26a0ef97f57ad91b92bdb59e21255

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
93ff55d5aa44ac04e8a2cc738bf59a9e

SHA1
3fe48164711f94f388c587a664f256b4e1e6b609

SHA256
1ef884cdc2a105ab549595721dc5f17cbcff85780d6a4d36f02823975adce8f1

SHA512
84e8a8eb0219d63b8ddd1f3ec6e51f2a9c7d7edd5f18dd9f123d89423912457fcc649b13944694812aac1594ecab97b530c3f9f77b70223f2256179567f7865e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
af4decbd183147a0632822200075207c

SHA1
8786b6d1deeb269f699437d45394a79a06e47b3a

SHA256
9f04f9cdf43055e49f8ac0f652727a6a7827bb010c982fff736997932dc73b65

SHA512
5d9ca912eee42a320b78442601a07dfc06b4c2a1c7710fb8edbacc0cb11cddd008632280bda9db522134ae513bc2c4373da5c91aad85c82dd4c2affd7cccb1b1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b64ebfe8ccddeb5b5ac070fdb70549dc

SHA1
925ce7f5e94113deaea0d54592c824a3eb12cea1

SHA256
4dd3f7b20b2154e09b9dce2e8d9620b9eafb6154afc921d5c4728f2b35853401

SHA512
69caaf6849fb98f4f7cab4d00315ba562cfb5aa82ea999458735647145ccbe5b0b1a4255a782cff5b954afe4b21e08b5b9fd38952bbdc90cfb3443ad91e6d1ac

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c49caa6dc5a61413da15cc6ecbf0bfd3

SHA1
c0b0cec365947680cc021c65990c793199c1d231

SHA256
9bc9a5dcb712be009a44803847fe77123283d32732df648a698d91c3bf99e2ab

SHA512
fa21f4d09c86f1ba9ed03e90d55aefe4abb7cdadfc0dee9099ca1c5927c8a537a3abe7c9124877e8d7feea72ca774d275ca394b1136499845a88825e2052b767

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
33d40fad926e9cb7eb9d2b6a0ccd6ae9

SHA1
f32225677d5aa7fa385358d18744beb6dd0a6097

SHA256
4c3f34a32725811d7bd5e5f020729b2317ec2821cab1ccb8c76db2286413a70a

SHA512
6300017fbb6ca44eb4e938704d9588bea223c6a6e3774e501b7fc50f40f4de650eae10707c32f85607fa673313925bf63f55be5c5e08790b8c698dabb9e7ab07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8e0eee3e1841a125d8b7947c57806e0d

SHA1
a4a6826b16cab73e375a6b53fdd9fb6f6bd485da

SHA256
b3e1301b529892fd9265f7f87b2e67a4b8f44dc135041abec8ab4581d9920f61

SHA512
20c91a5928ca335c2d1e8f5d42a05d46c9c359dcd27ac566662e76395ec3d7a7cd5dd3d0b9cbaa74db932a4ba3f4157d64885d26b168fd37ead97deb8b57dbc0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
47e155b09c7583669858817c292a7f70

SHA1
71dc37ae203223959662b5769cd01af7518ced91

SHA256
3b20058eec555ab772585b2eb843a092d7c9cbb47eaccf10dd97087420a4c892

SHA512
a2a015dcc029126efc8357a68b9f3e47fe2b732c8a7486db8f67dc7921ce4f633f21492503e3981b5198c3ce280ef238d87c05044d1f50098674a3f1b700246f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7ccd9d1286fecba7ad57f5eb3b4bbcf9

SHA1
1ef3581452be8bea4468086109cfe042ff50ac2e

SHA256
b8a3d387082707917ee247fd72d1064e932118fb437d90415a9a8399f1481ffd

SHA512
ef1a516bf6c72dbef9332c466b632f87b3eb478768a159f2f84212a5cd44b78dfcc90fa31d6f04dba8e74cc56637da8fbe121fc09197a1c27a7f8099cf7f15fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1f295d9ed7aac5d6ebdb7d2ae0695da0

SHA1
72deac9f0af94998f777a077e3fbb0780767663a

SHA256
102fd84060018e4aa0181a08cf7c85bca54dcd31512db31a754d7eeddeb929e7

SHA512
dbfcdad2550ab932249eff9c7c3b0337d1be6685f29541858ca20c90e99d7700b080323f4e88ce4b00f34e1e88798b616239782e68d871e900b41ee3a6b8c936

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f910c8b752fe812b804b2beefb9916db

SHA1
4ed9508d207338bd9c2db4f4e9fe0a14e90d64b7

SHA256
3e58e9d2b45b2ee642f10f7a5043986d9ecd032f8ab1dc97069f907c7df1bba8

SHA512
71032c212f7118175b55a8397af97da76d20a96bbba045a153f19f8c3995a8e69528c0f11c44430de52f6add1b06e8f12625f9b99cd24c2cd44d82336631df5b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d67650c675a13268a6bbf1c41b817714

SHA1
649ab146057827f9b2dad1ee71a3d11be7b35c07

SHA256
0e5eac177ef706f32a82913f6369510e4a9701b8588500476697354686a4df0c

SHA512
cfb693e0dbf2c5b4b7adac2676dd86263bf41c6a04e22e3fb5108e5fbbe0ea83151cc71c12a4d890343c661d8954bd3fda2afca2ec52916b4f2d0f5ff1def89f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e339e397ced94bde40648e413d0bdc89

SHA1
b76c56ef63281ba97708d2a892d63e6d9de8cad2

SHA256
696f064da63e2332903fc09154bb0109f30e7f8d94fd4814ebb0a86330da8e6a

SHA512
2402f957757c63a0a4f6591529b2f25c06a34e25a0ceaaa19fd6f454e8f860f45a6ae51102f9f8b9e0564792ddba0efd44121f8cb14324d2e4b8693b7ec61b08

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c23370e22bcd1e4bc8ed26b2a86556e8

SHA1
3b742493abceb9543a37bfec7dd25d86da4e91c9

SHA256
3d42bd3ca489965ae5c35ed0b47c3df6f684addb7bc338fac62952f3354a3a14

SHA512
cb72f17dad955976b2bd1387dea00a500b79a598b100c3885acd4b1332176a2b3da12ddbae2ec37a2f19624aae7e0460562dd732b78786959168085d785828b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
77301abe181669fb5b75a40258e49eb4

SHA1
835d5a92830ce95e3b287e0ef39bc90f48186c15

SHA256
bceb531dfe5f259829ef95bfad81f65abfd4f32a67493c9d604062043114dd03

SHA512
5352e7439fa8283bc3c4a221d664b48110bf4530140c99a471b25588427bb64ff34453790e69f0fbe96f7ce0d495a515ecbaa91812d952edd3394a840bc9f713

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2f96a900092e0477055c878acafbf38c

SHA1
a912d1ed685682b544182a7665dd208e78abfb59

SHA256
cbab2475646cdedc39c78839c80db61e4e7b02dd482393590ef07409f85e95f9

SHA512
1a04c086e5b639e14c4dd68eae6ca926e63a62a69e166ef76bbb0ef29ed2354adbf41748d4e60468b73fef3b4e2510194cf69ac3a4d7833c52b318e290218aa0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
06c347c1d5bac4709e74ef9a0bd155cb

SHA1
78f8fb69c25363f0dfbf6c8180691bcb11dc045a

SHA256
70142d6849621a3db73d3204ab929388bcc9b097837f96e5d732687b240f8501

SHA512
bf39f531d3f582614646b6740239b7c52db44216acdd4381d5057e6939ce48295a28e21f58ec13215bd803bf311deaaae304d5af7246662d72e8bf654b0ba6a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
27c77ee2949969f15fb80fd8f495213c

SHA1
0ba6a9b884fe310423ddb6e350af94204c428100

SHA256
10a60c573ccfa4eec88f084e7aae86bef9ac1752fb5bfe8e9f56ed8d0dc39149

SHA512
be1f8e3c91c20e2c10f1e1a76dcc5f136f665b14d988978b38ea00589f4c418435ccd457ffb8d0b8ba434c8a1e54ac44e3aabae30b4e0192e78a7acdfb00d494

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0b83efc6881f6fbb8b8067de1b010290

SHA1
f0e7006b9b65fee384b1623c785c7c62ba2c8b7b

SHA256
52c0f26692661dbb0c1c8e3d0254ee5e9ee7c992403223851030b181cba7de74

SHA512
c2874bbda492dca456a180db424c563feee36e00cd603c07478a1358d66e820380dde3e88614457ef85de3e76748febe47b5c13c9607282e0482c30941f9b0a6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3f3c60d8c369dc67ee9fc73f6ef0b367

SHA1
44ddb2a513c11d7f404f081a872f64334837d3f0

SHA256
f644645cee5b52ee1d6927dad7afe7f91924c812b1502a55e7dc797cae55d5b3

SHA512
77f8d58130d65226c3e803672b78205efb965225e289615acfd5ea50cd45fa010b74d1da66dc62f8f506ddbc4ae3d404267acc6f2e01b156d7fc542148070e6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c447c196f56ad43fa4505f28a4d895f9

SHA1
e9a3c9fa8876d161363a980728ebd2ed197d3121

SHA256
50fda4b0bc6f4d32a54f2daf59bb1e52c71dcb4f2c07a29dd325cac69c47e3c8

SHA512
0dcbd8bf7ae9c8c53f0969dd7227f8660889dee94c2211bdbbdd8139d910d825cf9de6b7279931c0bdbaa42ec810c63031a76e5e8cd6802dafa8bb5fd559a0e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2412268f784703940a1c7f2bac63c79d

SHA1
ce8f7bb7cd65d76a1d9081a9dd9c01d08aa4b076

SHA256
dfb91d487e5ba81bbb1ec5a469c0a1bfd81aaaa90f942be3021a6f027d615df9

SHA512
ce2ab01196b543affce5e1fd46629841624d3997f4129c5cc9282fe61242ff9bd89eb84294862d84806ca3ea77b524eed6f0ebe54b6d695a828e7e2c26ad9162

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2e68a0c128520c62afdaa9a6dd1c0ba2

SHA1
910836592e5f8ca192123f006a10d440f3f59075

SHA256
7de0dc6f0fac7c29ed43d8bd0e66213fc3f1148771d37f1911e9d673a39621f4

SHA512
91dc3a9a03a035688daa13cf4cc880b6cf766d9718e1b574a548040a88fc70bad6356d88926572ed71e5dd96a1cc2d299c44d19f4b048339863622509c0a4fd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
92e9c25ca288852ca6dda15005e8c264

SHA1
47c8e6c78955df0d80e5153a0759284c029fb30a

SHA256
db897aabf7e5fc95d96da15df943139e3eb241802d95e0d77c59c83497806ac6

SHA512
8e8749d1a7278d5eba5f1bc387d880fdcdf8bec7d2ccfdd681af14956140d13bc3a885e249cbbd3840743d632499e44dd654fe89e912000eac0b2599edfea319

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
22becbd35fbe15c8478cb018013b04a8

SHA1
79266724b44bc2a09b4117a111b672e58a4da394

SHA256
e39719efd91adfd3208203eafe42592f9ae98d7f6f96437ab63da84dbc68a771

SHA512
1fcd34e92f02d0eaf651dc48c0802994876ca4e55d977240b0ddc699c0655830a424af07517c8ea2523914f1be4de1c89f7f8d92dc408dcff92cc26a1c2a802f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
714c5ecdc253e550fc841762f486b3af

SHA1
40683f57453355b749d18802337ceebaf0556ca7

SHA256
d67581b29c837ca92882e2291189b2c6bd53f10e8bedc74dd9fea9ac3efe761a

SHA512
56bd45be5f029a9321aef3d08ac61553487b0cf0925a4e43aa7d4cd04ed9a62ca2448cf3b1d1747748ec79a99d39d04746956e6afc6a669d36c5d66b4af786ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
743a726a732a7c1f856c2e657ef441d3

SHA1
ab504f65d5b28b99123a2bea862a258403f1817c

SHA256
3abff79f8ae7bf166d920a01aec18b294f78dc7b53459167f964fde428697e47

SHA512
1d32cdca7a499c7fd12ed10eb1b7bd41c526f5606c8c0a36664a2b3fb2182126b67b12f435add25f5a5973ba27baba8091c7cf4fd147fe732b1ddd976ac42549

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
326ab6bd979bc1e4b07a3351f9c30150

SHA1
5e4af49e8c1ffe285f86ef07d56ab1211672adad

SHA256
b021569d5c12a22f7c3e321efe296838307c5bb501d8e12f707f0e9d965402d4

SHA512
46696490928dd3d86c4b3c9ccf9454f9f326965b6a5e58a6859976d4db004659b6cea724781d9feeddd04a963a012474082f35f7f25f5febbdb5bba6b5a58d4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
dab5bb905bfd6a9d2af2a7016c66165e

SHA1
ba23bfd1843fff3680de7bbe93e3ca1b3d7a358c

SHA256
46167644aa9b67ff280f462f6fbba4b8400c0ea4fdb29eacb84f23bf589c99f4

SHA512
d0e072e9cb8e7b32675e5c53d525228f3e1a5848452cc30a84a6c330796e6d77fd64ab5e7baae5102d693061dfc999dadca31534d4b69a56277b46d419910553

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0ea1beb5c75be8d4fa63b41b5de30309

SHA1
3968ba4dab23ba797410fdc8ec79a1b8006d5fdb

SHA256
f0595f8bacc3f11757fb00caf2206825c9f21ad82d42c05d3a88c164714268b0

SHA512
4bc9ae9a1308e3fa005f93b1e1277b208a8a0f1e69cbd872da2e93a0c50bc714371368d613e44348ebef425e1f90c68ef0bee4113e55e5c59092538702ba1037

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
e422d38cda2746ffaa76f775313ed5f2

SHA1
77cc6ffd0ebc73d2fd7a1b1f6897388226881f9f

SHA256
d017b52f433f809bbb55e9bdebe0da994ff95f157aaa4656b9b9bcc6148e612e

SHA512
e4a0252b1c672f8ff0ac6a3b9dcfddcadbbb4ac9b0a3901d5753d9df8c366a21a8138f25e97f5dd620cb1c240519faf17affb734c15b9573c6b98de9f0451e4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ff36950c06e5ea003a338e584fd96416

SHA1
9ca8d5b85763b113e273c2667ccbe3289f2fa589

SHA256
d3f8fc69eb782412f28a0648b8a27d2e552fa907ef8592539893f9ccf61b5e21

SHA512
0ef6845e0d25aa1026182c46abe0e9337f5186afea5194254f7a4004f2d2ff91931ea95f0b447be2560175bf71e4c77c1fa4ad9f8bd1b4bb7f840d9f5d71dab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8a7cb7c4ec0ac59d2414a683bd65cd18

SHA1
1192a8345ca326818e5535ba5d1b77a643c63b16

SHA256
f116be8857e17bf03faf73706585a0804458c7b859538d480bc4297e724e7a26

SHA512
9044015066160d0e0095a17df28fce3868412dd9cd367e2c133102acc23181315b913f4f865ef4227468d6764bb0cba1a7c6cc459c7f3998fde2cdd6e8005d2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
ae50c57bc7c0f21b7ed669c38586a527

SHA1
db59b3c9a48304894e410ddebe9247ab969ba028

SHA256
2c641bcca701d458100bd8013b55da375935dd496b1c4d2e9552a502ae38114b

SHA512
dd3eca416dce9b17161b2159c3c7b0073a88d385d1983264254be5e0122f8f31239304bf5677ce8af8ed2c94ace7a0847cabb05031e6626f95e0898d22f7b164

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f7ee0c6831ab0ffa304b30f6583fc799

SHA1
0cf2811d6f9f934c63a8838e03dc7d460e4d7d61

SHA256
565f62401b4abaf952e4cd5b079bb06112be122a02ae1144147cd7315d0accbb

SHA512
ac7dfc1eab423d593b64dba14a60af6512549282a99ecc3bce7a7107673fdb36d27040b46c15afc874295d05d08bb8fdac5771f1a164871a28fa8e81dbb250b4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
39b652b5057e12aafb91778516b38cc4

SHA1
53b647923aabe19c92ca800499ad90cf23a7e2c5

SHA256
026dcb94a1f9e046ff9824343fae815ec96d103fc3ea6fe1cbe8ec46e0ec3aea

SHA512
95f398d8890d4590497515d1e6d539752313f10d7f75d6f589d3e985d687def98f81969248fdbc59180fd59f4066560eab062cb383d96182e165674433928cf3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
a3991a2eaf4bfaeba3eec4cf7a60bee1

SHA1
cb28075953fb8cc6d386b09952acf1e24d1829b1

SHA256
50dba6dc82cd7c7015eb55d7c425ba3ce0e6b7476a631ac2db6b376fcb5c620a

SHA512
161dd3ed2260db19ea0a2aa1cc3d7160b5629dc15be10c929a4dd210663cfc8ce819efde609ce0918cdfe928a01df60e38cede44d612b8d9590bb02dcf763ef9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f86173ee6bfbe86b03523bbc52689c1f

SHA1
89c551310501479ce9b81050b43675727be2fd60

SHA256
e0f91e9903d03445ab041c51320ad5b052cccc57faa309076e7b2fccf26d5717

SHA512
0df9cffcca9e32f42bd07f36bc6e1b0da12740f2d258e293536340697432260e0a2a46f382b0652d344d45f7c5480dd825918b9d458c4a8af114a031e0acda84

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c5a93ebe49162dac0c54ddb31f7c6aeb

SHA1
bc154c60c437318743b142daf10db2c31936f83b

SHA256
d4277a9ea29ef2248a147e30bff91f71ad79c210dd1cf619ae475308dd319a2f

SHA512
ab05833c4f44cfc26971c68e15d82b8b65bc93a57944eb500cc889dc50de48c02bda8c99ffe9f57e8ba00962a0b85add5495593a4fd7c22777e2be291a7509b6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
54a73e5c318c68bac20458ffde5f1dfb

SHA1
b97a65f56c1edb1380b5d3eee242818b6b7f430e

SHA256
d4af448b75e221b12754f78c4a4655a13734e58a60780fb96f7ad4762d31979a

SHA512
a36f17a60e19f58150775b654851a558fd91e234ce002d1fa2987447b0cdbc634b7f056484cbbb1a994ec6a810e008ed3f1e7957173925ea5e1410aaf9979528

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b08fb95c575aa61a077aedfaa29fcb42

SHA1
f8aa99c77ffb23a04e55ecadea4dad97b7a0a8af

SHA256
d208a2657db4dd33e00959d091e846de86cd8ccc83bba8b0766dacd787fb6e13

SHA512
d110534a75874464e9218a9b71e20a6badbe9779c3903b0485047a4b55648b366d6b7e4b5a0a9274e7d78ee0ba1be4f136b4cecacc1ae3537a1310701f564a6e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
399726b7ba2928a8616129011a513723

SHA1
d3d8546b8d8e3d0452ee44f2b64d6ff22ade888a

SHA256
d99fa6f801a46e81f1ca09c177f112f346943ff49ebd7062960672e7d4535309

SHA512
202ec3e229142255021c3a46af1e43a37446a8c03a024d4feeacef7aa35a8a916ef7362e0c51473e1cf6b3fc2f93a3518e22611cbecd2add9790bd4f42c75b0e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2ebb067d596f36eab6a8a610d8305e9f

SHA1
d5531cbf2793c2a215112bf4f87ca8c219167ab4

SHA256
3fc635de22a71247d7a9d0c6cfaac26c1d4ced820c5a5d5c48f4825d9b06b34f

SHA512
8a9fa113bc7ec621a08590d5baad9cab501711184aec8fb3cb1e844db58f8d07c382e5b3515f581363b207ab09a2a8802526e127f231702bb1937ebae06285fa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
55d4fe36c47fd6022544e7bea9bd2619

SHA1
8d2cd033264ef3a678c230937ad9e2be7d8382b4

SHA256
48e28d5435068d48ffb477c56ac18d6b6c22c66c87c629a95abc8ae55f1cf0f6

SHA512
ef77614641fac0001157c108b75159dde022ac443538c91534722c7c02b90ec6d38c301f1b0dbe44f58bd81b96fbf8660574011fa1c4af80d691d050f0bf2d44

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7016cbd0a93e65adf19c9ddf9b4d16b5

SHA1
b80f1e7f85b49d91bc21eeccd1779bac95ce10bb

SHA256
273d0a7208360744a0804a084a8286de5daea9b55f30a7b71bdcf39838ba2def

SHA512
f3076b719d52b16c59f26a98fbb5ede1785206a685ce53c97c18200fd85bdca677fafed9809a9742afe5892209ab14bf0072fb7eb4c01fd1a2d790a7b72bded4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fde395f23df84f07311da3f4fc608972

SHA1
ae7577c11109f60ee0eb44be31874535c6a3cdb0

SHA256
7acdb8680cd5832fa07be54c329d7379d796b768e8f2a4651e18dbd1890a91c2

SHA512
a336dd887e75e54d3e31ca518b66e70857f0e130d604c9c39d1a78550cbace4b80f1e97599a5f3bf2032d189874efdb52da49efc273aa1feb9db382795da7909

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ddbca34eb9443ca8da529f99ddacd4df

SHA1
eb3de296779187ff28e65e6414a77419e8fc0a3d

SHA256
f44558ca4df3f0994fb83547b1c0348609a77c94ebb03400f6dd789052617c55

SHA512
6b9d9543828a56e02853629a0445af2ddca94f4d2e561aff3c1f506145a4c8e257f11245c6d58ab599d8ebcbcf889a9c2332afc14a4e7b8c245830866a148637

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9331edf2077466081a423ec42beddf4d

SHA1
81b1513cd1450a90ab62296b2e9d36079177f2d4

SHA256
ae7de5a774736f380883e45884c7e1c046ad3fadb0ff3eb7ae114c87b5255315

SHA512
e84670d28dc71ac9e486e6109e075875be8e3f3e617ed62b99ee00a776435520cf3db67d5841bc04ec13279665bfc793bb5ebbaf937ad56fe6a688ceca3150d4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
49f6fac17f7fed98ffc1dc745297b2dd

SHA1
a0ff577f6d1e8acc8860629fd9558909c91aec89

SHA256
f024d614114f5a4b625e3fa69247e67e5ea4a212524e491c618cdcc14fb85dab

SHA512
24710698a4764e68a764a00b20eb2c8432bee6e28b372919e8f53ca368618c22c4a288f69f0cc705c673adf0e979d107a73f5fae61861da6398f5f4734c0d6fd

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
eec45e79a8cf66c5e70014e52812a4a6

SHA1
a1a985fc663a52e30f299fa5ac3e0aa5090c6123

SHA256
4a662b797eac46ebafed6f1cf7eb4f37947a7fab3fe35525219b9afb20a0dc4a

SHA512
ae61718dbb99ae51edad673932c2138dc66045fd92bb15449eba079682624d6701a16ebba579379db4a182f4b12975fc9fa33a9374e98faa60985ac67973bfde

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c4649cef2accf4df9e59c69a270dfee0

SHA1
9e3ee92e9258ddd7343ea84a66bd3a4897f08049

SHA256
4e6f03f03e4a3d2a37cddf2f20dcfaf3ed1d9e30f7bd9f4722004bf6a86e00a9

SHA512
e542d328b90d4b8b6126075f247e09a26e63b2dbc761fce7b7691a17f3102c60ba2d7a1807e373573c1155c2b23af833f7896ae7cb417964de4079ddff00b091

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
078b90773e43defed27ef3d1f29cca92

SHA1
612c32244c6127ae9881d59e3cf3b5019c938c1a

SHA256
c0c2a9b6ba9940a2e68344fd5305274eb771c1f65b60883fe400bc74adf17d5d

SHA512
ce1cef78bba4ba8b581fdb3404f7b5912c0035ea24bf752c9ce5f0c9e0bd53ecf55c7d065a69549f24c2e0485154b4101368549bcf74bbbd7315baa08d125c20

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5bf2572b79cdc47bc51bca020e1d0a1e

SHA1
e304f3f2a2532dede0ba243512be323d8c0cb5c2

SHA256
581d015b3a030251d4da95acfb9101b886174cc5fa9c562cea94afd39755d10f

SHA512
30c25b81bb22b98ab8bdd85d251f085a1250f167fe815bbcc4ecfaf8235dd2b8a74a23529d69edc6ebe788854e69161e3beeb375d12d05fa329c01b2529057a6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6cdaf5a7d84105577db3341b5768ca6c

SHA1
aff00ee64bcb5e374ade65b795265aec549f760c

SHA256
bdf0c9cd3e771ed99ae51294dc214fdbe7e7339425b8c4c5410742e3aa97a400

SHA512
68928d598623fb175fb267d0306dba2900fe9e1e7b69e92ee1d259e3f52785fd40f856d6f9adc254a51f76332a5d626bb1e11a1883c0777eb4756036d0f4da63

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f61354d9313929c635c52ee9d2b956e6

SHA1
a222034176cbe294c65bb6cb31c65206273cfd14

SHA256
3ccf4c53da3c6d895e82c6017fcb3db744a637e2b327aa54e495259a4fb97951

SHA512
261380926154e3c148a63a7a41e5fb6f3842e541f8e493d4877f932620c608e3f7b689503e2813b768939eaf3434ac7769c407b5820afd745c6d0a64d1e22c2b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
40f95c6d531a46a84d64d105b7366541

SHA1
6925728607a43d2520cfacde3fb1bb7d3ad3db23

SHA256
34c32c86b1d49f9aa8e893ef9da5dccddc14543ee6e1c33201cc15cb0e15e5c9

SHA512
311222fc2834f10ceb08de6302a85abb02614a3253b22f3b3fbdffd64084536cba09882b104a4ffd53ecb6d52faea859c8b31dc9a70305371bac4f72bce86dbc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
fdbb9e959c17aaf10fb56959e73fd976

SHA1
8dbe027b63365f10785bfc05a2549b51b4abe80b

SHA256
78eb12f1a11d2bd9288d7b71acb96fad0c79ff8e982757b6c2c525d5fd3f328d

SHA512
2963d72870e0bc1b2ebcda41c7086d4aec7625170523a363b3ef458e09409f71c6d4a38763bc2a5b7851658a000b3813563dbf59382543140b69f2c1f11ff56b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
683059d5718a62ba9ce85931eede9b04

SHA1
5e90e255042bcd29dad33c37722169b2b3f2f0e0

SHA256
7beb3cab34d256871da5e4f6f8871f6811c94d70f687feeccdfb37efd7304a0f

SHA512
7bc07386a466b41e8b98d6a01d5887277318cb79a5ab1a85986241736171ad3a38fe67e69baad48ed0b9abb06adef358cd4965dd238895db19950196c0f10a0e

Download Submit
memory/556-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/556-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/556-43-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/556-47-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/556-36-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/976-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/976-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1288-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1288-645-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1496-132-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1496-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1496-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1496-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1556-82-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1556-72-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1556-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1556-78-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/1612-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1612-142-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1924-18-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1924-87-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1924-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1924-12-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2000-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2000-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2000-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2000-178-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2036-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2036-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2036-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2036-183-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2740-650-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2740-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2796-644-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2796-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3020-165-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3020-468-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3256-648-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3256-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3276-86-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3276-5-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/3276-10-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3276-0-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/3520-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3520-475-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3528-643-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3528-203-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3624-89-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3624-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3624-206-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3920-114-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3920-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3964-157-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3964-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3964-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4276-639-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4276-184-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4404-258-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4404-649-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4504-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4504-229-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4824-133-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download