447dacbd40859058a36677ebb8813766192c6d3e95643f654e014dfbbb2eeb83

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
Size

24.3MB
MD5

5a2123722fd3298f3e377e026bbcc6c2
SHA1

01780d95de7f97a3a0d23a21a8de10951d8e2a1e
SHA256

447dacbd40859058a36677ebb8813766192c6d3e95643f654e014dfbbb2eeb83
SHA512

0f0e1e848e98ede58a3fc38719837b2a9e39e4ba914333d05cd62e9524a05de7b4a99025da20ec5d7e373c3f7ca51af6bad00ce26dcdce16ea82b8d0483f1363
SSDEEP

196608:TP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018T:TPboGX8a/jWWu3cI2D/cWcls1K

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1704	alg.exe
4968	DiagnosticsHub.StandardCollector.Service.exe
3560	fxssvc.exe
1920	elevation_service.exe
5096	elevation_service.exe
1820	maintenanceservice.exe
2000	msdtc.exe
3868	OSE.EXE
3684	PerceptionSimulationService.exe
1544	perfhost.exe
2896	locator.exe
1484	SensorDataService.exe
2996	snmptrap.exe
640	spectrum.exe
4168	ssh-agent.exe
368	TieringEngineService.exe
4488	AgentService.exe
1528	vds.exe
8	vssvc.exe
4528	wbengine.exe
3616	WmiApSrv.exe
3176	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d0011c20c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2a6b69958b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eafa29a58b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f37cb9a58b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061b8e89958b6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bda1329a58b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007c8399a58b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078f6a59958b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000041ccc9958b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3560	fxssvc.exe
Token: SeRestorePrivilege	368	TieringEngineService.exe
Token: SeManageVolumePrivilege	368	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4488	AgentService.exe
Token: SeBackupPrivilege	8	vssvc.exe
Token: SeRestorePrivilege	8	vssvc.exe
Token: SeAuditPrivilege	8	vssvc.exe
Token: SeBackupPrivilege	4528	wbengine.exe
Token: SeRestorePrivilege	4528	wbengine.exe
Token: SeSecurityPrivilege	4528	wbengine.exe
Token: 33	3176	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3176	SearchIndexer.exe
Token: SeDebugPrivilege	1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1348	2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1704	alg.exe
Token: SeDebugPrivilege	1704	alg.exe
Token: SeDebugPrivilege	1704	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 4608	3176	SearchIndexer.exe	110
PID 3176 wrote to memory of 4608	3176	SearchIndexer.exe	110
PID 3176 wrote to memory of 1256	3176	SearchIndexer.exe	111
PID 3176 wrote to memory of 1256	3176	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_5a2123722fd3298f3e377e026bbcc6c2_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1516

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2000

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:640

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ff9dd0a2fc8c220f42c6ee6266adcaa8

SHA1
4cec46a2c8a31b4db1d55ad905e75ecedd9994fb

SHA256
7fa95cca78793248e136ff1b1bf39e5bc2544ea534c5b5d779199e06740e6ea8

SHA512
e96013cc3c82cd5ee2c3f36c2377e65299b42af523aa7fbbe7f83e08cb468acc77799958529fbe6e13fe0823d9efdde2d6aeb36c1faff1e97f1b25629b14672b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
bcf9968002286ef022d3d9b771bbcb6e

SHA1
197a6d666061a0f7caabfc790f1f4c24d877364d

SHA256
9ccc11c5d9824fb46822c60ff1bef185574785fdca57ddafad33d67a53f851f1

SHA512
23009790183c9c5d989d3a1ea2a41a571c7f0150e8e1c60426623616ec63c512da43957dd726fcf951855fedf6c74021cbc387e624bc72c7e0bb6e62025791fb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8b325c1c448b387f9b90b8e3c9bc0066

SHA1
ece1524cbd3cefc69c43e16a00e74be44bf10642

SHA256
19cfd5763175025da1b6ac25a0f6b0ea32c0bc5924b30667d510482495256c74

SHA512
0495408b56dc70c2fd24bad176b0aef682eff924d00e76ad81e4e16e524547deaab6f2a58d7f34d820b175dbc297c625da276b090b00f409dbac4ca414c2b330

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
621a316025e73dd57ead55aa8320cef7

SHA1
d72fdd6f6e84271389f8d878540c59ae8b01fc40

SHA256
0889e003d2e728dcdb406f4ff2d464fb300d7beed800d84b845c225c02af6a77

SHA512
9cdd68bfa7dd491ec2270d6d4453376e01b39752275e6e8bcc8246ff3ee6b1c13c2d9d2dd1c7f346354440fb4a949ba284cfba4ce9199b635399dcd6d3316e28

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f7240394a011405aece0a2853854bd5e

SHA1
6851edbb8888cf46a47ef394cd9f66ca2a50ef70

SHA256
070fb2db8703e22d9cffd317953e87fa7cfd6d7e1e7cc1b64d0828bd39623165

SHA512
ff3a2efe95b1aaec2dfbc74986c3dc68df1d9d3bd221f5a5d58a4413b24918eed4098bd42b74ed0ed52d99b932ba41b019cbd294531278223e99043adba3a6cb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
cf99443e87eba31170ef20de5052bc3d

SHA1
a6794b47a71ab35349c74a4321559000c60b338b

SHA256
9770a0a10c6c479c4ee255911588b751754b2bd98af74fea52b96854a93c99e5

SHA512
f47cefcdd45ea3305c39116cdae317fd5472103aa433f6df43840946cb8e601aff2706d1e27d0ea46dd2d5e868ec38448ffaad5c11430716849dcd3cf58f0d86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f5f763b0289623d16b23821cd960a951

SHA1
5445ad8fb70ca7ced53443c775ee37df61656ebd

SHA256
759fc630ca33262baf3647f9de70535a5dc2688e7313663a4b21135e0e6be2c2

SHA512
5ee98987935bcaac9aff78be5cac343bbb3242b0c131923dda8ee3c8d0cd1867ccc2c040546021b326c9e22d3faf22db6e2d3ee26a8a6b2731c07a8e2e72c1ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
626974e815a9045133d49df6d6182a18

SHA1
280da57eb69927944f682d9c88b69e49c82c2efa

SHA256
8facb3ecd9d3d9591a0684047db9365e03e5f402a7febaad8b41a5d1df9b41fe

SHA512
8ddfcd5c2790deca53bdfe7629c63f1a1efb3d081719cbe3d80de1bd1d5b10903760eb9271c42975607e83db5da63455d0d40b895657b4dc0a2022b1bca781e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b33feaaee1f205308d32c3d0910759d6

SHA1
fbedd1ea5e61044aa91090b07ee2bfe147ad7753

SHA256
8ac1f5658b63bef54f50d469e4c624e18301b66b2cf487aa2eb37969d82e7346

SHA512
feef3fb69d85c6a605f4ec6082dd7b417ce2dcf150e4f7256365a2fa0ba9d41e03a6ce64eb409c430b25a320f0996c138f2d0fc1784d7fe19742aa98850d6e71

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6fc8290f1d2df6ee9a82c2804b0e97b5

SHA1
41c643c142aedeff6d188a7c0c6c32bed7ab3c11

SHA256
2a0dc56bc72a22599fb14626e8b96950abb977cda4026838b7a5729e743ec7df

SHA512
6683eb53dded806e9dba49bc3ec28bf9927b7aa907fa43767df38c4e0bf275ded31a50ccf75e18735beb4ea33934838ef5ebd5581a279dd0b65fe4a2b7d7436f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a6d9295522555f647dcde9a6a6a84556

SHA1
75a3c61a1ee7f1df6ec29931a3c004a8beef9221

SHA256
e7d996fb76d12eae4e18098a733f937021b390a194e40fd8a7e2ad2c88c4ce58

SHA512
c7e96255b981cb4a457bae338f4b73dd3a50af078d620764d53cf9450b52552d47f16d54c5465808305a25bc5429c51ca0649a03660166dac06d359095b5133c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
eae1177ff1af59ce19859d63b6f17141

SHA1
7e66f1e4b464d8a6949904be9e3bc3ef29e6f7d1

SHA256
3539abf8e9c1b01aacd4adea77a5c1112dbb24aeb9f4ac831fbca2ac9c02d4a3

SHA512
0959af3c62d5657b9878882c3fe760fa2aebdad43c811706061408a7181b8479d1b69ec901655d0e95177573542a9470893e000eaedb8797e5a43e076d32ea91

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
e4a51042a92d781de2d97f97acf092a3

SHA1
97ecbe520a1e7fe49ca50a00a6d3aa8585dcfc63

SHA256
3a2b3f718f8d1a6139c0a466b97241a3ab3e3200d17eb8895b6155368aba56be

SHA512
6b4bb5d75a1e1b8136a681726d9286cdb44a3fa4d72e415f25a32a9b130a34b315ce5640ac7dfad5448972a1458a878a7a68a8d69964370d56db12b0e7d43b72

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
3e0f6b8b3e335cadf142fb6e84dd83a7

SHA1
21d8d1473ae2a517c839a42d8255534d7b99ba89

SHA256
103cf2bb0d0a310c8215a794890144b067da63cfe9b8d45335624a3e37c04818

SHA512
ab738027f561f282f27c98bc0d0ad7c045395aa5658e63f4d5995d88438dcbf604baae3207093a458362760f9a0d89528906ee69a46406973da627ed9dddf319

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9d545a522de2cca9aefae2f61d3adbf1

SHA1
3d254968d68b3fbf8cc6cf69dc40dd117148a70d

SHA256
673bb67aac581ffe37c31b58287d68e76a6a77b58bb2c8d4a74e61b899bef18b

SHA512
063d2679de49be286f687973d6b8fc3d70a14892bd72792a5b7bac2a95c8eb9dacb3102a342f798a56f979cd1dde46fabfe34affa32c05981fbcbf98e58bf659

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
332610c91597d4fe290531fc3c080509

SHA1
7d503327b2ad7872717fe8d173f59067a590f413

SHA256
a221eb2d389687c28bff103ad61d2669547219e025a98bd1ebbafc479c1be88d

SHA512
50f906b76af11bcca148e46eef4de3cfc1170264874e6401166ef912cdcfff5b21564780454847ade8d99a65a342720d24886a17857128cebe9c4ab7069882c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
abc295e335ec4635eb7acc6642641008

SHA1
78a6d2dfe7b7f38d199196abd578bff9923bb7e8

SHA256
e71cb782c441fe4ca16b3d9b3a2afebeba429255b9eace5324fe4c71fea904fb

SHA512
b1e8eb0a5691964d3af97d1622cadc84995191a9886072574e33ebb7700de6be7ce6e31135ca79db3011337ba40992a5892523b783a6113a6bebf9582c0fa1c4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
00f90ab8090f6d5291569b4b984b5efe

SHA1
0160cdcbf8ea3ac532bb439903fab13c068819fe

SHA256
769cbc370684a7f77d28fea92d22561c95a98f02955096f33f072f2abc6aaa87

SHA512
59390366874e7aa2f3e96e8d733f99dbc927cbc209a7d210b52296b1d8872ef1f74a8077b09e639e436dc5ead2f30b7ec2605e6b8c615fe2f98a9a15610bcc90

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3bb73e8fc0816fe53186ae02c589ea29

SHA1
df86a855fa1551b89a7956cd21b25facf8f49ad2

SHA256
bff05199310ef63b2de4870e98459b90725dc84a906dbf0f5cb2aa945012c1a1

SHA512
b459ce5ca6d49bc3c4646c60e9d92276266d72cebc1f7a77099739b25f6fcfeb235bd0d69d15c8e8fcf7a004e432ec92dbe005a40eb6e3856bfff4538295bed2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
539a9b0fc7b28d3f1eb0d8bfd23fb368

SHA1
321c9b15ae05d42f9f53180f058a5a79becbaa22

SHA256
de552915ddfabb66501308adf687b158b3c57cd8949af26a9f342bee9af70f15

SHA512
eb3936ff780797d2faf4be0a28ccc71dbdecc0d376a0a465a6e5cb88f642ae8e747578395e3d49f2a099c893467dea434ea9fabd0f64caca7174b0e980a3b359

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
07b7d36d63a72bb0080555e3f1e8af40

SHA1
04a2996f75747d12fb5508d80ac37ffc7d574afb

SHA256
f8509e9ca14f9eee28b06a8f9d275bac073abdc5242131c4f0d18e35360141d3

SHA512
9c7666ce815c157cb002fe61caddd4d1010e9307041d357622f68897c45f70bace0bc4bd30187791bd6c6a431f7c64bbfab2e03033dee6c1437c8bdf17ecd378

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
155b6a83c14faceb477ccaf355572b22

SHA1
1cbd77b6a680c7eb57c50767da0715cf4f4a2f8b

SHA256
40c5bcdc1db7285220aeddd28a7793c715ef203340fc9d2951f0836a8b2878b5

SHA512
98a558a738d3229a39bcf27a77826c1dd7fe5e8a8d060982061fdd483c2d8e4b40a82a6a19611962f000495f95ae1373bb1b4e5b5307b0634c4733f17e58a346

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f15e7a3b5589aecd487da46a9549976a

SHA1
fab41893c48531a95c0ad6259b8dda5eef6f316e

SHA256
caf491caccbb3ddb701be5e8188760f047c358678a222205ad413a762f6c4b44

SHA512
b39409492aab0b968fe49b3d8fbe3919d9685dd078502b2f57f5a57fb7156f96eb806129dd7c3293ebbb931734e91b853908da13b1bca61ad0989347b4511877

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
376ab89bd6ae16693494776703b54f44

SHA1
b76e7e5cde9329a0172fe80fb52f9cc3f5790dea

SHA256
9191046992d96c31ab112fedead60b512fc6b05d12e45a355049d289aa701746

SHA512
eb970922e97df439b4131fa0211d71584b5325cfe50fc64bb016b8931a06d2e6df61c483a3efd8c22cec5980971aab6d68a5f55a016d59d64b222697a03668ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
aa00d21c1df6b6e78a88bd85c90da6e9

SHA1
02d581bc16c1bc9d7bf950a0fc2d478e63079572

SHA256
928ce4c77cbf380f977449d2f6f71e4ce741b53b0579fa8884060ce1d10df1da

SHA512
8f53474cf0f3f39fd4d984470ae8a67ccd89ddb42306aeba5d18c5ee110297cd73ba31f19ddc9abb57bba1288f0fff46733754a27ea19dda9c2cd95ff558e68c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
67430157cb42fe71f2ed43c347bfed24

SHA1
801e4d64abeec380b576725a3c59959fed04d4cc

SHA256
72da2e0197d715fcb86491fd4d1ba0ed3a5b5fdb8d120c3980d09f7a6c9684c4

SHA512
0a209f287bbc0d46a13d4a865eb25633bc5f93ee556b7dbe408a4cbe3e19e502c9681fe91b0304850f2583a01af13ac9d53d06b3d9879cf36f344f904b4c92db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
4c256dbaa1656d99dcf5e0066d95c27b

SHA1
c9bdb8a5f764631b91480b0ac0d105c4692dcb0f

SHA256
694cd82e534ea07308b704e0c4e9bc909507c02da099a835ead3c46c4cd6a739

SHA512
869d651add0b32090d21830f52c09e84908a1a45e5a87c33f08b614855319246819fd20a2f52cbb36869a936ccb3e29689e0fb9b6c6d0911ed8a20bac4d57c63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c057e5e77a0f0cf7ac1865ebacce24aa

SHA1
41cb77436917636f84f1562425c24c00e3873ade

SHA256
7d9fab0372407939c69dea52b20e1f5422fd5e19e7cf9e99e69e3340f9467d1c

SHA512
ea9e70191d81a6410992a93459ed74c8d71ec9cb59318374cd76a2d24e137f3178d6b9bd2b5fabbbe9de7e05e4b48a0fc21b5f12e951826a1a700a849487e143

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8459efd4719dcd2d48f395669bb5bd16

SHA1
dd944e0e1a2365effa27044fc12ecbba1180275e

SHA256
e7ae0d13f204c39ebef23d60b962d27a8ece975b9a1954303b991a1bdd81a9ad

SHA512
8feb8f5412600a3e388ae4aebed989e12ffff103a50b969cd9dec312a953d21ab41ac563ae695ee42f06e7caae4786ceb493035cf8689aecbd7273cb9d252742

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
04c42f0ab49c811df5a21299242d56fb

SHA1
cda890262a9eaeb36196389d7802cd0c24cdd4c0

SHA256
f9f412c90f4a150a353842c3afb13c182752c10360a1c2723a567e1cc2b38f32

SHA512
9c1c0c26339f5cd01255edc46a72e2834a2b355862b3f8a823090f24b979d38b1a8a1b7e7f17f092ccb78adb4398858c12920f71c9832ea0508acf074dfcf846

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1cd9215bddf792872788a65726c77a38

SHA1
e32b8b7edab6038d617577d7683fddfe926bab9a

SHA256
0953659a6c5d7a63ff6174b1a02adc76aa54c612f0076592138f2d04acbd8885

SHA512
3840da2d5cba3877ce8a0f35ca40c7c1decf93be44e1c9e6ebeddfda24780b572a9dd90bf0356bb66db63f7b282a300fed6cd23ed51cd4e78e26bb6bb86963f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b84e76c00c24ecd4f657dd6a15447250

SHA1
5819c0c9b0acaacf29912e66ebd3d0b53bead0a1

SHA256
80a7edd5db87b3c9bed033c9295c3955be894549579e426f3fc76dd89114f16a

SHA512
bbbfdcf86048632b70764b749cbad3d78282cee5d50ef17b3ff5d14aca73c67d85cb80adff9d60ca0d110b2db4a93f51509ae944fc11567a7d48d74d4e61ca64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
12de057f6d8029a289a886a4c0fb63a1

SHA1
4880fdc2e5bc83bd3d045c5d75ae8c75bd53ef2d

SHA256
476641acc6e0bf8c005e95842de38c81275ca81fe54ec5ab2b293c1f85886656

SHA512
9a3f591e645f8ef0ffb29f9ed2171a8852f5e233f21e5d578b9cf2f7f03c44020401375baaed0bfa623cee3622e32dc720c277f84217f949f67d46fd02962df1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
a10b11790a4c69ccf4d5f7f9a7305478

SHA1
78128b01889da66853928b8a31c8cc32ba50196f

SHA256
c8a3789c74e2e5b136d4fe0b912993d9007047d81cee9f4d024fba2771cf3200

SHA512
fa9e74b254c7ba3aa61c71df6219be31b87a72255907f88bbb7736e0f3e52fc4b1b0f0561766f662559c9a36eda732e9847d48579ee4668ef3fe25270d80addf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
7796adddc53786883497230b08fbe92e

SHA1
d164576845fd60a72fceed289d9b695d538b41bb

SHA256
dd34a46bb49ab531aa05c0a29aded79d0a834bb44f2694fe746c4921ab704548

SHA512
fa991d4a4ffb2af4b0fc2dfae460df362e2c253393928fd3572ff9c6e03446b6e45216520af64e1ca872241ecc1c715b11478e13b7c57fa4930a6d75fc473219

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b500a6ee3f958482e0ddb803bbb5bdb4

SHA1
6743362b11f6810fea6c259d40cbbd93dec96957

SHA256
6c42fa3047218778a832fcb911ec56919c9206beebc79c35f1f65d044d72726a

SHA512
7e2bb68c67eb7e417c1789b5836ca828fbb01eb8e162b7f69bacf42e0698788f17785ede208c98bbb8e92ef522ee7a48353b4fdf07e8c55d58538fbfad0ba4d1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d13b77f9ea25b44c2215a9beb737c534

SHA1
f8df873b94bcdd86fa0d9a925968f6a7566562a7

SHA256
51de9a6ba350f78a3c6f9fce3a89d3442472bb92753ce216674eadf7d9c7889a

SHA512
942361125ae41fd7352fca095dd28e0b107bd14c2253adb0afb0707284c6b9d6e9c4c47ebb5fefd64bb27ef1d2236c8f7bbbffde8a97e2463d42b6a5d7b1da2d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
301f9f9cc67283d6e77253e31cf2c220

SHA1
dc5c3d0a061783295998c4feb07a675d6c7cdd8d

SHA256
0432538b1b48bbf270197395a23bc980acc939625d1b7cf27d06dfd8ce48a6b2

SHA512
a4edf8829506447a6980dca8dbaa17915424cdd653a2eef67eed5f636a7a664b76d959e1c221a254bf21469c0505b832e8283007b777f0ebfaf6314a26233021

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c423fee3b77fa54fb4e73f7f33fb94ea

SHA1
1fa039e3d6351318a8f14ead2c40a360d61a5b22

SHA256
d1bb0e436f95d49df3d7f3db7c1f22075242026b52e2e06a871d378367bd360c

SHA512
b05f8305d0b89887e0f0f97d6a0f041367c8d90ab5377391c60452d9d960477049d93e2a24189b18c4db8c3e6cd9a78ee597c9b10ca228a11868cd1dd3f2106b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
c0f30c6a4d260417f76d0731f96debfe

SHA1
1f057c86f6f58023783e1da0e0da2adf2c49644f

SHA256
4286188bd6a67ff2b5785e5c791de2e78f8ac3a710df14eebdd2d6ab42189cac

SHA512
0035e30726f544180e21de987e3983667b057d7d167e34911c2e648ac008557ca16731ac605e837d3d012e05db268aabc363626a47b919404a29bdf6bde574f0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f81283ae9c5eb06d7c3d14498bee88e8

SHA1
fa159d7a3f62da8501a26e1664807c2ca2eda0d3

SHA256
552ec69048193b95cd7344a59686f836820cddd5adf2706c37e4c95c1629584e

SHA512
146e28adee9d3e5ada19d622e2027f2f6f32a7af9c72f5cc58c3b36ccf7671633903f5ef74786e4dcc79c90d5782df627113fa34494c1881290790042dfec058

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0863a9350d1af7b0148e46233ff56b74

SHA1
8e96ed1d9860112d1276800376d5cf584a29e1ec

SHA256
ded6cb4c5380ab1cd1a9bd1ee6ace3c9b31a12603b1bc223301679abdea38315

SHA512
f7b6e2a004e4665f3fceb5cf562c3e541cc2f564e81011a93b9b162bca692b0d9e1080a789523c88350e63194b19481cafe51158c4821b409b4d129c13537b83

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
853fc5f27c492a9501099800dc202cd7

SHA1
876b8c0350d1c178e0f42a96400be5eddbbfcbab

SHA256
e0aefc396dc842b774d03fdcedc1bea03649de6a6b1715c5c821f22443f667b5

SHA512
af2272e6477e94ea42bbbba11d9c400490a0c6ad557bc57288c2f5f2d6afbbfc66ea43493d5c44041dc5ac90f5ccb4d55d4e76a1dbaf4a03ee8dd56939e0bf9e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
b7c9941e00aaab7e032a306e7c954683

SHA1
3f71260eb83e1543bc2ae62ae6605dbdeeda4000

SHA256
c334bae2eba7ecfa984088831c54d7fe80a5816e8b7bf4ae16a683461a116384

SHA512
03a0f8fd4982ac2e59e688d6acf7441b8acf2e079478d1901781cdcfc2d518171572a32fffa3c2bc0066494461dc0072ef49db347c2406036a7f1612f02f312b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
78bd976473fd2d50067b0bdb72155500

SHA1
a130e6187146676e1676831912abdec17fd6c860

SHA256
f5f1d59781f3643c6f468c9a61f26ab43afaf025119d95aa4eb14a57ebb7b02d

SHA512
6b2980f996de0448caadb29ceff986d00e77c12b830d4d7e0cb650dba3fda1af188bbefa52452390f69770f70ea37bba07d4bf7aab76fa15b296d30a4442d29b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ddccd88d2289296a607f64e2b42bdd7a

SHA1
32c219ae1837ef84c90854903b8b3dab22292242

SHA256
87bb4851d735f604702b3d2a4b1cce3d38f66109b425af1a8ad73c091f03bcdb

SHA512
74ac126094d45a33a3bbfa1258cff375f68a8cfc3e1355ed45deeaacfa1e5cb5a6b78a6ffca4a406496c5c59f503111b244a487a97880cf9ff51a44e5265fed3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a2834e676fe1038a59cd687aae24e1c2

SHA1
bb58e9f7f7756b663e9f97f62b3bb591359b8d1b

SHA256
54474dab8c76952684d7a0fdc0ed16ffc4d1d6c25b77f122fe6d8d79547332c7

SHA512
c8e2416f99172a3f0fe0527bd5d41376d809a358586e980dda2403edd510353c7d2ccbdd1724cf86525682cbea41ce73311a1e997a46c15bc97d493e426290f6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3c140c83ae2484fb81dfe244599a4f34

SHA1
9b83eccef17ecd0ece9369768e3bd0eae433559f

SHA256
bbad13e7ded4e6981cba55d448f79edaa22fa63556a9bb9cf63bb56600845ad8

SHA512
c129ac968fcd8a3bc793e475ca5a95e5aa1db036e1506b32f2e31d589a3fd43c2aa1f181109592e5b2c02bdfbe6ce2c220fa3dd5ea4c6b24042354ecab23f42f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
22b84d721f639fa2b70629257c695946

SHA1
e40bacb36c090686fcbb8bd424a3e5747f746ea9

SHA256
c2c296ec8a4cbb3e8deeedf98939667785b8d0645961b2d55842dc84237c2182

SHA512
fede4f94181250046519810be576bbc3c6b1480a250c45722ba28434143315cf07664ef2bfb369249ce5b14292926abadca59205f4c7a7842dbb9867c93196a2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
86eb322494028747250cb655a3a5bab9

SHA1
96f7b52991cf165c49e3575132f8a0998161f4ca

SHA256
e5ef0b3e71a56d8f7e9e5e38880bbe99d4b2b5553ffb27d3dffaddd2ea8a6751

SHA512
17b84b7b307d536ddd27170590e151eccc7a067b23209550477df367f1e47c9fd1f5a32b3e045a42da4b8e1a46cb601351fc8496be5f95c86b4ed3d4767c092f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
aa59bcb4216dc8f369db967ce949581b

SHA1
96b984778c02a82805a37f4053af58853ea64027

SHA256
54b3697049f5cd61d4fb6025e5372c06a3fffc7238930b3aa4b66daf2a7607bf

SHA512
6868badb4f6fc026daf8af7856e4496936642b079e8b01527c142db1a1392340ddbb76288f13e613abf4e38d575b37700dd657e1c9e0d543192e956054c48e87

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9a03db1583b763ecba157a80cab61957

SHA1
d15aa96cb5ca53e26240af007c30e592e03126d5

SHA256
be592dc3393fed1a3f24a19aba52438b6aa9d0ced82b04256ba0a1370b04e0b9

SHA512
897a257f6bdda3a9d1c847a6a89c8c2afe49ace64e64c33ef1c85f49ec9aabc482c6cbaf3f8f37435d708b8e3f1cf6e54141801cfa25f7887ca8ee510fe025b5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
049a41bf495aaa5df8196c689251c62c

SHA1
fa521cc636e18e474d64353491e8a12f07bef9e2

SHA256
6dabb6b7bf111fd0d0384f99a85d76321524651a908fc49542e948fdfb62cab2

SHA512
99851bb4083ca463e81b7856f0a579e4809b5f3053d411c31428242c4166f5630ba01163acdea9385d01bfab7f5953c0a832b07b46e8ba98ac17271c87c51a01

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
afa3a8e5673c92950282bc40cca4151d

SHA1
1a411d230bc808189445c6f9b7915b8d0933d8df

SHA256
6dcb710d3c0bcaafee172d2bd1e08cd53fa5f3f3340d7d0a6705060cd85db346

SHA512
c276b34c562b1003499cac6c23c6096b752b5fc593932afeb347b99679e8190294428c23c4ad81d21e65ffc0fd03302f143a76c4ed8bb781f205d917f36809aa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bbe2f6298877376762d838c3c3ac8aa3

SHA1
c5c286f8a5b35f55cd867c60274377625292e415

SHA256
d9fb606669bdbb1dfb2b072156d63e90002a246603a1fab6557aa28659077c18

SHA512
74dda5f55cd7fd57073c02c10cf794065aeea5366d0714f036cfd2a4532d77d9984bd53fb5f9f6bb378a864ee81e4e1f4bc76adbf0859fddf3a446d7706653ef

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7d6bee37b95fde53f7bea91512ab6ded

SHA1
c1afbd635f679b5dd961deee766c3aff71b80839

SHA256
78b0641f3fb94fd86c9f1b2a512502accb87809a3f150ad4ec612c791dde98f1

SHA512
a2836ddb5d8e793badeed34fa8f97513e9c8eccf83defec26c6a7f56e40321972001c8536a32b4adea2172a620b0498e3e1b6c02d2404768f8f9117c6a19bc23

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
32742e5621cc9ac0f62c813be1592877

SHA1
75d5f57f3c7e767d5ab5898e66df44249da79537

SHA256
c61e4107d192ae023c2eac0f9617a19a221caba508501f0234c9b3ad55913738

SHA512
a22cfbe9f1ad9631739cf3f98b6ded949a1921fd54b691a09a1148c95f1ab36fa2cceaf0c7cbb7fb8c0c7cf1a7db7a955c8f2f7a3118e9190e0afe2fd1ee6eee

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
7941b9d5bbce9b47c132103d6e067616

SHA1
a490483214b2ab839c090242f3060952dde7aa47

SHA256
aaafb9dc489e2f6fdb9363ee80a2e296abf35ab0c21abcb17d18f66959ddede9

SHA512
01bd6a3a8eb55afe025521d8f9123c669e72cdd866c756e1d99c1cf0689dce7fa6a43950bc70ea62cb9a5f97c87bde3c8f913f5c22bb9fff178e877e7c688232

Download Submit
memory/8-310-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/368-306-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/640-303-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1348-5-0x0000000003C50000-0x0000000003CB6000-memory.dmp

Filesize
408KB

Download
memory/1348-21-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1348-289-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1348-0-0x0000000003C50000-0x0000000003CB6000-memory.dmp

Filesize
408KB

Download
memory/1484-527-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1484-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1528-308-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1544-296-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1704-41-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1704-16-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1704-10-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1820-80-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1820-68-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1820-78-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1820-74-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1920-616-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1920-45-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1920-51-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1920-315-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2000-82-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2000-293-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/2896-298-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2996-300-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3176-615-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3176-313-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3560-39-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3560-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3560-54-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3560-33-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3616-312-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3616-614-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3684-295-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3868-294-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4168-304-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4488-198-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4528-311-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4968-42-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4968-29-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4968-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5096-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5096-292-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5096-613-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download