78eb74eee57931dca7d9ffdceb1183af03824a124765175eb24ef2bdbd49facd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
Size

24.3MB
MD5

dab1d6a0c97420228431b49503d7bfec
SHA1

0f83be143b5dff9ff9f3e7c634b390c5956208a1
SHA256

78eb74eee57931dca7d9ffdceb1183af03824a124765175eb24ef2bdbd49facd
SHA512

0b3e817e1b35f48022aba4e746a965b51800252675a949e960539ebac27ffcc9861e82e5d643d1220eb14379592ca7a3731e990a19231f79c9b34a62cc6d95aa
SSDEEP

196608:xP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018lZLud:xPboGX8a/jWWu3cI2D/cWcls1Yu

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2032	alg.exe
4172	DiagnosticsHub.StandardCollector.Service.exe
2356	fxssvc.exe
2792	elevation_service.exe
4440	elevation_service.exe
3728	maintenanceservice.exe
2428	msdtc.exe
2368	OSE.EXE
3296	PerceptionSimulationService.exe
3448	perfhost.exe
3248	locator.exe
1172	SensorDataService.exe
1832	snmptrap.exe
4916	spectrum.exe
3652	ssh-agent.exe
2788	TieringEngineService.exe
4084	AgentService.exe
3432	vds.exe
2980	vssvc.exe
3920	wbengine.exe
1788	WmiApSrv.exe
2232	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f7709ca2bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5dcbc3ba1b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d37aba3ba1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030c9f234a1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071371c34a1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d43ab34a1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5d31934a1b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072014b35a1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000061a7a3ba1b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee18e234a1b4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bec5635a1b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2356	fxssvc.exe
Token: SeRestorePrivilege	2788	TieringEngineService.exe
Token: SeManageVolumePrivilege	2788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4084	AgentService.exe
Token: SeBackupPrivilege	2980	vssvc.exe
Token: SeRestorePrivilege	2980	vssvc.exe
Token: SeAuditPrivilege	2980	vssvc.exe
Token: SeBackupPrivilege	3920	wbengine.exe
Token: SeRestorePrivilege	3920	wbengine.exe
Token: SeSecurityPrivilege	3920	wbengine.exe
Token: 33	2232	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2232	SearchIndexer.exe
Token: SeDebugPrivilege	4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4272	2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2032	alg.exe
Token: SeDebugPrivilege	2032	alg.exe
Token: SeDebugPrivilege	2032	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1844	2232	SearchIndexer.exe	111
PID 2232 wrote to memory of 1844	2232	SearchIndexer.exe	111
PID 2232 wrote to memory of 4492	2232	SearchIndexer.exe	112
PID 2232 wrote to memory of 4492	2232	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_dab1d6a0c97420228431b49503d7bfec_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3320

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3728

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2428

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3296

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3248

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3184

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1788

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1844
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c9c8a6af66b8f76d199e0c62554da0d8

SHA1
ffeb9070d628476ce7140cc81cbf8331253de159

SHA256
692955eab6761cc1584ea82e1b83511e62d945b6810dc7987c4d42888afe3258

SHA512
5e436e18cf6943bbdd938d3206734903a248da4903b69cbfdb7903ca91eb0e21bd6ceaace5c4c5578b4b3747de21e3178525562aadbea84b8f7fab3b9d400e3a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
87912877d09df461a1f1a59f3d73c082

SHA1
61e3f6b1ddd5a06bb94ed72f6613d3e019e83880

SHA256
54f18d82dcdf18e3dc82fa85fa6d516ca5289352a38c27f3c16302b930ae28ee

SHA512
2587fea0a20171f18cd44858c83084f1c8512d4ca755ba2f692b8e7fa06f90bb1635a11c7910e3ce6b6f780d42cdad9df0cccfda5f63decf2641a6b019ce0103

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
7fa5e0fe962237c6eed8ce2b962ed162

SHA1
44164c43363216e4aad78eb00a5b9c52f9e8a7f7

SHA256
2f9e1ce3f9f46e5b6e976cba8a6d3d9eafd10b745c891e7b1ab35fb3969365e6

SHA512
d916ca832f7acc5c993de66f7cac49f4a4829fa495ae1b33c26a45d20abe9779d5ee69c65594578023f703e3cf36f8f6936d37bf340cf2fa3d2327f85364311f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
880763ae1238c49e1a04c96ec5a79131

SHA1
aa19b13038f77eb03ac9bc545548dd58dded4a61

SHA256
09deaf30774bb437aa5c33a3332051f8c38fbe6e2e33d35fb0104055a5a64ec9

SHA512
567052b136620afafdca2746324d3d2ffc8d69265bfc688df339eab4bce1c8b9f6e4fac92a76580271d9140488ad0e6e6f8bf41c53f6c60c6886b581c264789d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a76db9269c9575d0ba87435e792d3a61

SHA1
f3b680d2ac4126b558d5e529617af79ff8a5aeca

SHA256
8154747a02812ed386405dfe67db8c914783ec418b819f3635f2d602fc55c0ae

SHA512
e44264dce07351953affc85bd183856768d731c6ecea46dfd3cfaa5ee110868a58ae5bd55095ab5a3123b700caaab3299aff4d0b0e960b251ce236fa81737e96

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f70e96f73abfa323fe7761cbae1c3369

SHA1
3c22c73220e3ad50fe25156e1485653292ff5452

SHA256
f5853d72464529822646c3a3441892860a9b2e9aabcb02c945f0380836d0eada

SHA512
a510ee48615263b097fcc4dfe0ad5f32eaa4a490a52b888c6e4107985967b24be251e77cd5109e631b2df195cde9310ec8b95102a7a894d444887cf963928553

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
92e920dddf204ef5bf6e789c21dbd101

SHA1
571dd5f79c2e678629a3a3f240bd9670b23ad7fb

SHA256
c03a26240e2a175df84e2ed779461069ca392c5976d9d0bfcdcc7573d3eef98a

SHA512
7171f9d28c327cca1a8ddfd8ba001f71f6800e8e8a95c07bd4274d30ccb5ebfbbd81a69b986f808a4fb64f02ddbe33ba4d6fe319c9fa68d7b2d5630d2c57485d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
756a7c34d8fe9c73a7e772bf6346c65f

SHA1
a1a05a0a1c1ac60c79a44635514cf9bb095deeaa

SHA256
728dce0c2119ccfc130b5a0383dad7911677ab7f8a9422b8da15312dcf79377d

SHA512
ce864dabfd71c8693336817ac68fb34b044a8c6004c0457dcfca658c378b20063dac42d5b79873e4b14e65d36d917f184ea2a12a788f44dd352ab4ebbb09ad88

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ce5d3eae71791dbef95ad18456ed69ae

SHA1
401475f79c52e5aabb124dcf6e583eebd44d5389

SHA256
bfcc4f94605802f5ea1e8dbab84a6391f94e5f224860cc5db21c47600a863f54

SHA512
95910bec426b470321e313bb01e7cbdf01eaddce14884bdd853ca97bdfaf8f677f3bf96dde4d2864e4adc4d4dfe0a4877abba836eab67d7d77eb761c128ee2e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
83ff0f08515f14b30f6c3e3d772bff6c

SHA1
401cfc01fd83e6ab3f40800b45fb53d4daa00d8b

SHA256
b0b72d5322541ce666ef3316ca199f2a5f3448d399b805f6f50ba9952c236015

SHA512
1d44a335417c267abe40381b82fc63fe0e47e911a986ac3fba97b9d44dd88e0539ab8a0db1bdbf2916849fbe48b6389de28a3f151a762a1b6a4d66b0d4639514

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0fb1597b4526431ca2f0519f37939472

SHA1
0b8a99cdbb46a5eaad24a8f20b3c3483aecbbdbe

SHA256
c85fa1659060a535abcab6e824eb0a270ee3b5f5c15c1daee5489128fc2aa25e

SHA512
fa81654e32355f953a20012420b9beebf94fee356b6a10a11191b8523e9d59ac5f84b82368765b68b86b4049f58b86d0e08564db4ddf174fe3ae9e9ef4034e77

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eef1084294682a6aa478198bc399c9cf

SHA1
e45da2e2e89e73d5a15f2fd3ade0f57112ea8788

SHA256
049df92ceb4dafea8ff9c9e0cb690edfad57822708f1033034a43377bc4ae147

SHA512
609ad73364a8ed4318eaabc4fba1d7a020bcdd09f1dfc45f92c4f9b82f26614c617349611d1eae2cb03b04afedb32287b8c882d50e0c8d9adb34dd210a09ebb1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e1bcb93d0c3ce51194fe2696fc78ff2f

SHA1
a77df31bc5b41fb63f6b539ced9bb4b71f13e5b8

SHA256
db145ae923cafa0d7d5ddd535f56dac9b85c7158626bfd033288bc31f58a5cd1

SHA512
89c5acf917aaeee4bde5977efb556cef45c1e5ab8acea671d1534dd046eaaef069d4fa42f49cdcd34d3d5b1e1593a31be63335c660efe7df9037585d85c69410

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
269f6d70e4292bf8ceb0d8c21c80f478

SHA1
ffd11a09c85375a4e55c9d30ca8c03facd5f15ea

SHA256
ddee8caf0088691f59afb669fc113717c9b101f0229593025beb9ce7279d53a4

SHA512
3887552b58110d6216ea82e1a3ba71d1bf5ee8c64acd81fd7ea0a3202202d5d80fb9740ad37bab68309b9759ed846189fe8fb3e32764ca7804077ea5cee0aff1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a6111f62439c3bb09812e9a536f81cc9

SHA1
fa7ecd4cf06daed3b028c86709fa19e65a49ae1a

SHA256
9b7b7ae00f382cc6af8c7e0d551f308d5b24fec4d33ec17a12d0aaba0f19b113

SHA512
f4de9512b65576ce740bd446f90d7dcba0d859bf2e34d29778fd8ce1526ec55ad85eae379ad20f86eaa9a371f15e2c0e39692fa5cca2dcb08d139e98481791f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d4721ea26a93e82e52bff61ba98bae0f

SHA1
06b52be539696b1ccda3846d81e535aa50d07fee

SHA256
3f4121542c6bfafdaf7d62a33150c57a2e52dd34c9dd0828313c8cf2e3803ccf

SHA512
26b04a9f901cce3fad385f65bacd3aa462f7818c8c874a3bf0275e89ca3e237f298c1b8fdb1ab08dcf115e57357d8a3049961472c0afd121f5c172edee1f4534

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
69b4fd4e78b5547e0316037ee887742e

SHA1
ff8cdb0a1bc2283c61f16c8a5a6d78c6800e6c9b

SHA256
668d0c2f3e14e167f5b636480bd2727888bfdd85d791ec66687afdcbcab6eca8

SHA512
033dae868d02f04a8d3146b17e625ec5a53762f9b122d1e91a5b2f9c7d4014a83acc2bb0c513593aaf1bc1f5ac44b9758f034fa70acb16fd7056c0caddc330e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
25d5f0af7fa5278d43ddfeb4b090e1da

SHA1
7a545930a6f1c214ac9ca0610fcc013374a34279

SHA256
0fac9ef66430fea58bd5fcf41b1bfb32cc851626f427d1d9358ee1c78a6b5fcd

SHA512
9169eb46d8db01181ee9af3e206fd85abb688769ca118d8c94e5d6075bcbb1fb8ec89c8d0309b464763311d498c6e4150de3686babdac11afbacc1616e277ce9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6ad1972aa5b65fbed51eaa098401e634

SHA1
d1789b3e8c80d4f235bac923edd722952223bf1c

SHA256
aea3c489d2d23541fead4b9ce385cf3268b454401199d6a07aab5fd874d5d0ae

SHA512
d76a491d0f3251489652b345ad7bfe9ade410da7324f7584d83051518f34ee8b8074bf0ee20f78d3fb2da164ae658d08d637dcb499eb18910dead2dc7d942aa3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a858b9df57ec8e2da2d141d2712fc59d

SHA1
e1fdd4ff7ad6df2d1fb85361cc1fb614579f27d9

SHA256
f0496b7c2064af9a44ce86e99718fc1ffaa28ca1c97b0e471ffa13b3a1354402

SHA512
4a74e3fb3fe211182b43f6162c25a46a20ad115c52ea9ad6aadd7b17fd4a4a052943263d64688cd83089576e943cc527f53ec132c9853b8fbf9232a29867ab74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
47510cc7dac72b3ccb0f2218df4b6900

SHA1
64281294611a20fa5bf10e1d0f17c6f6116df186

SHA256
35bf7c2e05098d9f9e5aa3c9ba6df6a31c218155e15765a913d593c62ee664db

SHA512
2d7e5611d0a6c5c720ff312feb7284243179b7c02d501988b3c2b31700f5d7e84d35d107982602f44fb8b8c7ff9297077a1bda89a48a9375778a034374ade61d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
fc82021f602188c8dfc1b9c6465cf3ed

SHA1
1068f892aa78a1b253f62cb19249de6013ccc8d2

SHA256
f7183f7da472c4b7acf220c610152f27148ad620f10b3e8b937974ab84b08b47

SHA512
0bfb08ef8dea6957632e4123c5b304a0f6e082ae5d48b235a0d735f507d766f36e118cd76a6c4c15856bba2dc4c74dadedeb6ded9d2a229f35333c04f7eb7e4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e545b40482fc2f88a18803bc74a86f9e

SHA1
c817a518e9b917854c89133c3dd559d6cc715c9a

SHA256
0c894be9521d9f4fc74d1c273bbcde75cce9b70a7c805ca5eb3043e62bf31f71

SHA512
6bce2cb30a8dd3276b6c37bead632c4c8302dd0947bd046c91fdec11954392f00ce1ad0ee94f27840ce68fc283e20513b1224353c8b80fedfee0848a123615ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
8dbf6b9faed2daab1ec112f2f25c0bf2

SHA1
7b5f379ac731eb91f5f27b4203f06b87cf9c0e2b

SHA256
2548ca3fee9d71f1b5415e2c0253191a3b65397da47f4d9b291c0b25705f023e

SHA512
850699021c53f90a2ed7529a0f6de013c8411017a8bb325eae9904b8a4cb9850cdca081183df4b993f1beceb1a3391cbf3b25abe49f3e746c7c4881e9eefeed2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c4531902a5dec5606bfa2a131c5a0bcc

SHA1
91674d1afc8b20095b5a1bf74386bcaa84384596

SHA256
3f8741d5bd3b5d1b525ed8ba31028ede64f7cfc0a779f1b6a906c975dc008c86

SHA512
27348d2ad87661a2426d82c3964599bc81a1ebf5e8c6e187f5393527b5077fee78f55f541e1914ce182f5c5254bdaaf2889158dc06be68fe622e6206f25a4d8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c4c1171c5ce9657f55e60acd48a02d91

SHA1
ffc21943925716c28c28b1b3406b59193197dc9b

SHA256
4ede2937b21bee51d058f7e5303848cacb13fa6bec235245d671c1e9bd4d39ac

SHA512
350b34c558ff27c0c722da631ba755ef67d6657733863e8c0c30baa5855ffa9ae014ed2e66a4394455f7fe48e646b26494e3e1675d5a2235c009fac5a94bbab1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
18e97c626d8d3d41188cfb78c304be5f

SHA1
5cfed8a4a588054538101bc7951acb2d59a5a694

SHA256
204ccd68db139bfd2c7b01c97d2b3c1f2e8cc41db7b4abff57a6313c0e6c54c8

SHA512
7c60bb268f1ef22c739fa4d76630c88b4bffe3922882c4f6a80183fc47d36575c48ff802486b6e8784e08ac490a9bedf35c3d3b951f907cc366d1b2fbf8937cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
beb9e584415596c5d248cd34835e1920

SHA1
5cda1f1eef11dbcd0217f5f98f89f9776a47626c

SHA256
f82d0a201fcfde25bf99ee4ed7b15c80730213d6264bf7dd7c7f3c3bc6690a2d

SHA512
76edc1842e70b6ba2a93ba3cb34245e92cca2ec6a52d4e2e14653f9a7442be5deed3543dcaa3316d41a74674f1f3ef27d0187f84b026753ab5b6b6fb703efcfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
6dc9dfd27196ef91f40268b1720e2aee

SHA1
57a8184acaaccb837149eb32ae50ab5543c38b6b

SHA256
ed1a59a52365cedd6e3faecef89ef6064151cd4cfd8e977ccdcb760be1123ce2

SHA512
1f776561bfbd1a095eff01fa0de75fdf6c58f966d7423e74710cf2493f0e04141ab6169ca0ef20e36aaac8753fe90791c707d1edcc8533bfd0f1c2fd7e8e50dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
29415a96b389185f02ac8609d8c428f3

SHA1
ec9eee2c6911a507e9ba26f938fa6bf7cc866d7e

SHA256
20122de89b4aebace9436d4d8f72592c8a295d985916a30ba83478179469fc2a

SHA512
87a024e73c8f7430704cae8179f40057a6a6426c7f5ed89f348b635be322ffe76909df3f0c5c0d1671eae4c809c59c115cc1098b0ead0b4a6f592b7b6eb13f33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
4605c70aa1fae7aa3accd794cf5fc435

SHA1
a2974b1d3f253f98cf40d35ab95258f380b2e7b1

SHA256
52ec39e29d6d47b5746da454aa7cd2801e1ecb6dda4498b82640084661b15e01

SHA512
28752b737cf8daeefb26a6e2c36cbb4f646d9e82d0e285068c269fb02ea3672b28c62a1f38a7d58fb3e8ee9015209ff9f7c32c908dd8e2d55124ed4a1610b097

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
587c286954480051e8fdf79654a86b6c

SHA1
191ade483791215d4dea620bbb97f84192fd9702

SHA256
31bf6d016306be3b37e2005fa82755f8d885424019c3978dc569494cf9529e90

SHA512
07d3a903f36b67dff2c2f05370aa47ad509f12558b8eae3653aed2536b4e261fe1c8443c17f90fe0b797432e908b2873c5e9f9c16520c27f228ed41a6035176a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c9ffe44aa677f0cecdde9876c3d03eb4

SHA1
d7e6208c5571bb81a3e41a8fa9675bba8b31aade

SHA256
3d7c0fb95cd5849e5dc6c1fbdba15d6d31ed26269f11a1f5c60ad645fbce981b

SHA512
2974c53db40c668914a5de7b90949ed91f684d189190974eec842d67f38275d4e37c4aaf45442b4899a12a1a9191126c0a0d64837306ccd381096f133b2aab20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2989b8dd4feccb1dcbad7f79f88435b5

SHA1
fcd0760c57adb65e4ecc37c4369df131033d65a2

SHA256
1f5ed2a9998ee4bcf7d85714cdb6e32d47b53356289f2cd203458a4d240a21d5

SHA512
8e4eb5c74945c4b405e9655afc4b4d026c8ad123296b89d11ef3561cd855b2f56fd5ef9b7eff7808d8793f4e7eed500c1e6842b91f6005e6cd868b11d7e11a81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d22f94a49718fe0fd7590cfe7c6dfca4

SHA1
7d419fce7272252e38e0ca5d15196a261d9d7343

SHA256
00441a56d80ccecaca816bf7895dff05c266a95c9f94ac6856fa1c6d5a6d098e

SHA512
15ea0a6d6d2d4624b60c277fd96ca30ba15e1bcd3e0af20732cffe64cef46b265bb66037a783c73a585f1117074fea7ed615298966e6fee9f1ba247d8b2ae0ee

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c29a0fb29afc4fe482fd7edce95e481e

SHA1
223f8647dc515cb29d9e09161d66e090c4bc23b9

SHA256
8d8370be0b89f1db6e4be6838fdc7c3b05c11954e5dec6f8cbf30ea30b778a8f

SHA512
dbca8b668bec516401992079d8b7cca57ff51d75a4ac2fab313e073fac180be211194dffe34f3ba5e3138a9df7ac878e3331cdaf5375255a205565aca7761d3b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
176bca3cba5444cbcc256cd598d20362

SHA1
b4fb698fe43c1feddee21079ecaf25a87db6e4f3

SHA256
511f4393e9659cae5885f84c12b5ac460c7ae03e7b7c54d43e0e8ac461e0579c

SHA512
36f55fbec832b1073bea8c7e8b758123da3a5a4061a3f20860eddf8e9d461e93df5df37f6577a984ae08cead786c7e613d3017d541e104192ca650edd3184d38

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
03893507777cbedb0eb5247e06b04fef

SHA1
72b1605a7496d86f7842c2343f1b38508833608f

SHA256
dcb663056cbe6ce124e04339a6ee71ff87c125b824d672b1eed6985e348b7a73

SHA512
516a027feaf2e1e5d5f7f6340e647c1ee5b7a3ab43dc6c5c60e3ff457314bb2df9904aea2e6ccf55ac01ae593187f8b85e3c62289c395bb019df96943b560955

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fcead8750a5ec6f09b11e5b85d0e5173

SHA1
5db5623b2f9a787bf2f7bd8d0a27f2cb8cf954e9

SHA256
c1d423c5e002e5e705b4945026a8c3b4205d86a78f2ae6332febae4c62113fbe

SHA512
fde34d934ca256f9ca2b1a353ad9c7a6b130cf0628b61769e3d6ebefe70a9f1432a1bd1fea1532bc25ab8990ac16071401a167de471efba85addeab80ccee392

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
69215c43481abb32a969b68bfad23ee9

SHA1
798a0ea4a189e3b435cc3caf79f9d7ab14e85103

SHA256
c75ce3be7e94035c8fe54df9eccd7e12b55efd05ef41aec3e50e98adad555e9a

SHA512
a0aa140ba4902757365fcb7e07183036b03efd9e5542a5652a215cdfb727836009dc4b707e691486a0f52a2ebebadeab1d42e63640dca277cee90265881c3b38

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
aaa6d287c5f415c64bd4b4e43ff146bb

SHA1
f3c0d2e37234b0c353d9490f9b4fb8591aebd2b2

SHA256
36ab1bc0a90317aa5b64c6dd4f2d744194cb5f8812cd6b4f4da2bcbf21c5c3de

SHA512
ad5ebe4fdc78d02595e06948241127ba2a6ab4b795d8fef6d746061e251a7c80a7a224431778d64d49ad17878c19e952d66ffcd79965635e900f02c41dda2a7b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
bf66d3d0aae0b58d0c5db4c19519a763

SHA1
f02adfd144b2847a3aadd7279ea3b4c68a343590

SHA256
f11180d809ec1c189bdb55ab5ab6249e7e5546d88c0d3def48f78b98dcc8fef5

SHA512
9e3f2727c320b4c0d5e36d9cda4f5c6bdd651b88722b6bdc0c381342a885e4827389ee332fd1adbdc3360aa73dcaf35e131a08fc354ef973d16b11a93c635d60

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
36dc9c0219a9e6a9a787acf7c47b292f

SHA1
d934e82ee230844b4a98fd196d1b922a9bfceb0b

SHA256
a4c4e58d2cae0c6d10037df4a2fa72570f4591e65452760120a20e049891ac11

SHA512
b2b755d014c500cf35e78531aaef5fef4b9469c0e058f41c6f7dd01b04a558a9bcadb144b73a2f86b6df75bb6bad2b36a70ca0066fafcf4be3e1e7dfc1fcbeff

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d6c7f7084f299343de9e57a5b6666299

SHA1
2b7072b27974053073c66ce24276379f5798504d

SHA256
11689763dcf714f5c02b9d81b8ba56e4abf822aa563877be8c06d5e9f94695e7

SHA512
e6ed2e4ac3488524f2e5b5e6b3340aa210ba2b50e74762748e8b5d3c115346327181c10726593d24830f076c811d99de781e16df6288d22ff577f804a5fe4c98

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1bd0db7cbf0c6a804595e526207875b2

SHA1
e7e77d98e06b885df29698ef54be752703dbdbe8

SHA256
54d345e985cbcb5c85b2e6354ab9c2c6626ba139a9df2a3ffec5038c982f0284

SHA512
96e56b09ca471f08b45358b940704a6374c7b5cc445a3983cba1d4cf4518a8f5de6ef5a144b22ffb287b91690e1ea829575a81789dbc07b40747c5cc407d5824

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0eb24f21525f283d1c76a45d92db659e

SHA1
190f045caa1289a765238b2ccaaea7b4ba28bc40

SHA256
26e128c5fc620d29b7927fab180611e3ada8537b788d754e9452562a0f42e384

SHA512
f541b95aa6f05732431831f51df31cfc22e2419f74a12aa0bca7a02b3aba3d6a1ecf03fcc35947ae44ddb87568700369d2719e0389359f8e30c927d797bf5577

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5572beb32dface1e56b4b49a22e3fb73

SHA1
0adadc69eaca0ecf1aed12b50c337987c686a90b

SHA256
3c88d8b24e6dc7fbe3c98fb488c6347f43b97b670695064593c395649619030d

SHA512
006a7bc615dd6fcc0b4f155d8a62cc59b3db546ee7326857a51257175040186e89764d91d76077dd86c8f60adabd4fd81e0b0a7e893dc643edd0db6e05ab9b50

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5ca93999dc06aabea74e5e6961e5d88e

SHA1
8bd9dcfdffaeeac090707aa7fdb6110ef958f5c4

SHA256
721ede01f413cfba61a1e9444854eb2b02537b9439e95db3e271694fc1fe6e4e

SHA512
962aeeed007bee1b7bb1d141fefe0960f73f154063aa1b8e6d9359d40609349d070c74ef3c65809d9f69a67272412ed14cba835d2ef8be21237649e0645fe8ca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
69980287f49bb22b351848871aac4bdf

SHA1
093a0b81533bcff34098fd329819100b2f7b8125

SHA256
4553799c8be5cf3876d0f312ceb5aee38bdce80ebcd9448b61ed1d963ddc88cc

SHA512
032ee80bbe212721cad39dc1a9e253fb7c423ebcdee42ac22ad53447f832973e2b0235cae6ef6cde52f4e77fded593e3faf824b084891848961126dcfdfebe2e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2a2ad308f587bec942f5de135cd47282

SHA1
e9530c6b635e3f3a816a19699043b6056ca090e7

SHA256
6317ba6ac64703b16a5bfdacdd94140d4b3c5b21beb243bf9aa06de35b3c853d

SHA512
acd52b9a578e9383ba5d1823a533a26589c08cfbb5ff074aae7c608eabb294e2b8c44d5f88c4f3fdad3f8fec862359b996271baa23da772793c56a55af844ed5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d744778ca1616c68fc369b95390291dd

SHA1
7d5ba0404e6d53d91befb54fd1f394e2a4ac1db5

SHA256
af29d41ada4cb45d8dc6dda53a87f1b26a5ff1a55ba0415f04642027423a4fe5

SHA512
889363c2c09da647cc5e6925642608935af08790bfa66e098ad16539fc5ba2290a7ba68e1ce8aa5f020983bee87e26d296702736afd981c19f3aceb15d8136bd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8816f448d9db4c3f0b575857a877cc16

SHA1
59e645c80167a580433818427dbe6afcd99b0eab

SHA256
6c39f4d9f23b0801ef4256ac7fd82d1e49b2b85ddb9efbe77788454d31276a65

SHA512
2ae16879dfa9e3b0e8e81d6b1fd6db7189005494e37c2be10f34cde382df6d2cafb87a915ad66ed8c8a0798a61ee36687ad0d9d8559306c534ef15101bb8bd50

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
22e9eb10d60e97194e57d02cdf2db2c9

SHA1
b82c9dbe150cc7c351fca70f11e6acd4c0e7256a

SHA256
d6611e699430ff3f3bd7f58f7f6740ce451610361d8464967fb186853129adf5

SHA512
8a3fd984ab5cdf66a89ee2276adc0ed2526f49ae08d49bc2304b157d419c179d135174dd55c87890bdc578980c117cd369649642d5b086f8c8faf3824456c1f7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
aa5ba43f9190096595c8e374a4136813

SHA1
c74c8eaca8e3c0b246f54eb98ce8f050b3505382

SHA256
544edba0f419d28de98990cf92616af05860cdb8b0f24479d0389dad095f7aad

SHA512
2bb2b26642a744e3c481cf3221059a632282fac8c74eb9662f98ee35a318350edeb123c5d74cf974249329c7041f7eb00b66e14b548f6094d3f7693acc77e106

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9c2d6358ccef6b9b61c73184e1827b30

SHA1
0d89a4aba320432a01c6feba7b74c4cbdcb27ce3

SHA256
499f8bcc7c0b3b81568facc0fb036c5529657e97b5370fca2afd8fc8e6a83623

SHA512
c9c5c161b098fb874b1b53ffbe2a42518b9b4b71729d6bba331c5f13eea0043b221db56871ae9df8367afc551248320e93dbdc03f5215624d4f209e65d13a920

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cfc151806c94daff6426a79d1df2f86a

SHA1
fea51cc8e6bb6067452e747d0fcbe251a4a0d3ca

SHA256
f6316a076b1296f428d0c62a0f0bf65934907cb2b0c1555755bd6c70385a5e37

SHA512
803a492921ef67ae03d97b6dfaf0daf46100d7dd0afa7694b37310e1a9923bc62c6b1b976c35aa927bb8da005678fc4c1723f01cdb2a1126322843cedec89d4d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
17f21db0ef8301fa4fb4fb244f80b8a2

SHA1
5b91404978ff655814e705275e14d0055edced21

SHA256
ddf6ab230696e378058db46a5c2ddd7e514af7d9c0a13ee76773556bf74f4a7b

SHA512
3ed4abe174a531399a54180058b856e404187acade8a97f271b9efffc570a48f42df5b601fa7533c9a7058ebd52117b66c6b0a64e9cb314589a1a4680c4249d3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5a3c0c02267ca2572b4a51e6f07408ec

SHA1
c00e794ce9a3d8556d8244ad1ebbeb392531b1d5

SHA256
9c99d56a6acff5431b90b1346ed118948202bfff87eef2c6ff5f1c90d27b2758

SHA512
3dc1ac969f6dc8837f8594410c6d758c9ab9ffe8789972e082784f479bd6f88936e6c2505ce84afb92515489955305bfd5d3d3f675d61389021d40f0593e286e

Download Submit
memory/1172-488-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1172-259-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1172-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1788-545-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1788-255-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1832-424-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1832-159-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2032-22-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2032-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2032-10-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2032-135-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2232-546-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2232-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2356-34-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2356-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2356-41-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2356-55-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2356-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2368-212-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2368-110-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2428-87-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2428-95-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2788-489-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2788-195-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2792-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2792-53-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2792-47-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2792-162-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2980-225-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2980-540-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3248-146-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3296-121-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3296-224-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3432-496-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3432-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3448-125-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3652-485-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3652-184-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3728-80-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3728-72-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3728-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3728-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3728-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3920-244-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3920-543-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4084-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4084-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4172-45-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4172-30-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4172-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4272-21-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4272-0-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/4272-5-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/4272-42-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4440-175-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4440-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4440-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4440-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4916-480-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4916-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download