fe158a6aae84c43e730120b4617b2c3bfd00d0481935a0f03c39510aa81b6253

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
Size

24.3MB
MD5

4f8e8abcec5321f14556d458549a24fe
SHA1

2f03f0cd9b72d4aa6a0531144ad1ed3971b82ac6
SHA256

fe158a6aae84c43e730120b4617b2c3bfd00d0481935a0f03c39510aa81b6253
SHA512

376d8fbf76fca86d5c7c6cdccff077cfe5835fb29a156a718d09026cfb23e3347987976908e33fa6b4afc1952700153ff8f3ad10a3cb0d5da509eee3ca158eeb
SSDEEP

196608:tP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018/LiJk0:tPboGX8a/jWWu3cI2D/cWcls1KLkk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3368	alg.exe
620	DiagnosticsHub.StandardCollector.Service.exe
3956	fxssvc.exe
3660	elevation_service.exe
4884	elevation_service.exe
2992	maintenanceservice.exe
3828	msdtc.exe
376	OSE.EXE
4348	PerceptionSimulationService.exe
3256	perfhost.exe
4256	locator.exe
4060	SensorDataService.exe
2108	snmptrap.exe
3020	spectrum.exe
1784	ssh-agent.exe
2208	TieringEngineService.exe
2876	AgentService.exe
2728	vds.exe
4404	vssvc.exe
2248	wbengine.exe
3616	WmiApSrv.exe
1208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6e2bd84fd590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b23ac833b5b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d552133b5b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004651d831b5b6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002530fb32b5b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029f5ff32b5b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066045133b5b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017200431b5b6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3956	fxssvc.exe
Token: SeRestorePrivilege	2208	TieringEngineService.exe
Token: SeManageVolumePrivilege	2208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2876	AgentService.exe
Token: SeBackupPrivilege	4404	vssvc.exe
Token: SeRestorePrivilege	4404	vssvc.exe
Token: SeAuditPrivilege	4404	vssvc.exe
Token: SeBackupPrivilege	2248	wbengine.exe
Token: SeRestorePrivilege	2248	wbengine.exe
Token: SeSecurityPrivilege	2248	wbengine.exe
Token: 33	1208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1208	SearchIndexer.exe
Token: SeDebugPrivilege	1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1740	2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3368	alg.exe
Token: SeDebugPrivilege	3368	alg.exe
Token: SeDebugPrivilege	3368	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 4368	1208	SearchIndexer.exe	108
PID 1208 wrote to memory of 4368	1208	SearchIndexer.exe	108
PID 1208 wrote to memory of 2652	1208	SearchIndexer.exe	109
PID 1208 wrote to memory of 2652	1208	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_4f8e8abcec5321f14556d458549a24fe_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:532

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4884

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3828

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:376

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4060

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3020

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4368
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cc322612328dbfd6343005254be28c07

SHA1
ad766b1ea3c305a877328e3a6746122d8809bc8a

SHA256
6dd94b6669428a06b29056ddce9719fbca0542b43eaac6b5289d26292ea27a9d

SHA512
75aba6525b0a03d3faafb52fafbb1e5f5e721cabce584b09cb5f30d083f4d47032d124a177bce1d4238d9bbaa5710fb0c649cab6886183b03ffb6b975a19ecd1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
06e541e3a5cbe09c16499bdbde16e866

SHA1
f2b1eefab55e47e419a2abf2c993f127379c2bf7

SHA256
e9be7b5af6d2210902602dcf935e424a6ab8c92d10b84f0cba25c4f3bc10eb47

SHA512
160b2d3951b3e31859424605cbf90752bd5209550df45b9f8a463b108c242ab63e131f78a40f53637028cf853e4c6aefdfeabe1f3536f4f53f095ae35e9c21ca

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
97b88f2f19fbb19897f796d7e68c2544

SHA1
e1e60e0110c7c34799b0f681b8c2d1c6dd42b190

SHA256
659773f7a0d8bd345a89800329833d20a878a3b23ee42d97fc28a4231a3e8944

SHA512
a8f7bbb3675dc8ee1e47ac948e6603b1cb196f5635ca097f0b10063f12671037490dc162bcbd1695c9b59cb383c2b269719ccaddc4788830a3400f8439770b26

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4c88a47b4bff0db524595562eb118695

SHA1
c4bd979b63a77a1a74b7f2c1353864338368569a

SHA256
416ff2ccb998d30d97fbaf70a28f0b6a7a6ce4edb50d1e7e255cf75d7f159344

SHA512
ee0dcd44ebc04a60ba331a4b5c9c999d142d15f0f6f3d3be36799540f9478b5264b388b5bce14c676d13ecdacc020fc74e500132a72259a459016af46c380e94

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a25c0629390e588127e970c48a4a7b6d

SHA1
07cfb4ebeb7bb9fd6ec9b9b9ae527aad8dc69c89

SHA256
9cd0455252642d644bbc6b011d45b7b01ab5d4d62db4f4ab45adf0b7ad0f64da

SHA512
c632a11481f3460aaad92463805a64ce1c244196f7e21235e9a983588b6f382f7c87ebfa5cf6611393aa2a66b7fcfd069bdf77bf423aa74d1af4e9a10b04f5a6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8433296b3931dfa238fa9647343d1bba

SHA1
481b1b5ecefda40c95399a59b0380860d33efb1e

SHA256
7cde7d458a7a6b8b7f5bc00b501202a1f88034ec87441d2d8bba5a26b26965ce

SHA512
5c7c31a09893b5d40a7697230ae448e17b30a7792e9a5bf30b15cdbeee51bbca5f672a5bceaa0427e3d2c8b7d8773d7df94f66d2674fe7276e9775a099a7adc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8fc6ff2ef49ab8e8f1740ac235777332

SHA1
7d4495bcfef3a4a44abbb9d6f33970a6375b7861

SHA256
2f601ab7a6e608c4d69e5a729129214742c89fd0a182d21aaed4c49203bbfdf2

SHA512
214eea14a80b20d1e005081c60f30297e41bb4e0f2b94a68d99a5502e48d2b6f5004f6644cbe1e3f9762743040665fb84e3cd17f7709851197290c5b2b0266dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
39f4b5db892894924889dad71960746a

SHA1
384279638ab02fabcbbaa68272be100ab2d8315c

SHA256
02f7bfc0148f1eef5883653d442084a1aa660c2d5c33d39cd50e798bad0ae82f

SHA512
947c150a5ad2daee577e045f33553da8f22db408f48539823bb23e98f1e6e4268b6b82efcf6758aa415aeac4e9be737f3d037ebd2fe3c79e1c5907ea0dc381dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9d19772407e14abe1ddba2e28f155a93

SHA1
e7d20a020a3412f2b89f9075967984bb04e9d214

SHA256
ed021b32d71df4ce83a6729896cde748bbc84d0c78e80b3dad078ab1897622d7

SHA512
b8cdff3ca331418f93407700cd653ad63a7c4068fe193b7265c1866750a08c0e70c94c70962f68ebf0c6204f9809cf0f177c7c0194f6c9be394ce935d9d9b38d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d30f6f579ca8337cc944be216787fe4f

SHA1
9244f7745b400a02d5fada9c69bd086640a1fb1d

SHA256
8de7f7e0f65fe2031bc515bfca0f65b2ae577ec22139ff81a56b939731ae076e

SHA512
3442a3f17440856fea0644b2e7cea8cb101de5d29d9e8b6b6940ec93f97ef5436ce76ba9c8931febd0bcac1d91700422b24bd205cfa05b939f657989f3a68dcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b798e3335a90def5952d4595c2817d15

SHA1
070a9f2bf06d7ad1e58e91d3c63f6ec1f2b262bd

SHA256
163f71cbbab57be754205e782424657df563a83fe171192f12dcb4510c92430f

SHA512
dc445c28c784cec35aec4e75a9670c0e15d240e771b6e000f43dbfdbb17fa6b28a26eef7c9f73ea80337afbf95349f7cae7fbe31ff61e5fe8611084cb438b948

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
40f6dc9c976118c8dab98fb64d197a9b

SHA1
18481e510fc15381dd48922f2e7037033f385638

SHA256
89e4093611c8dafc58c8bf8693c0420ad00d7f46b0b855ab8d1d8a965809baea

SHA512
78e335ccba95d3c998f86b124e343cdd0e50a02c4bbaad050f8c6259ce6f7feb46a9845308082bae78b00e03fe2a6f9b7d0c8617455c265b1844a4b3080119fc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
766c79a4aa53da6cf9525419f5293902

SHA1
6b7c85b07f898184592f1f33dcff3e39fd8a93b0

SHA256
8aafe821455f93f2bde3ae096d5a3e2b4a57f2c4e8b2eb4903b4f90d677a8778

SHA512
d94d04511e6894ba84a733f3e43e4a3d7032bfc791f93b70381e0859f1037f34d961f2005619b017d2d871434e67abe7f0635a285ec4d80e9e9197d5cf74b5da

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cbfb5edf973fadbef017ed9ebda15161

SHA1
c4f7ac15b78f2db9f43c82d40cb258b3b3e9074b

SHA256
b43c2dac3a37b2e653526ba013f348c9faca1e73367e3810c55ca1c6461a13c9

SHA512
aadb0cbb24b12129ed14a4914ffd1b0f4125043d7a24eca6715475b833641790b134cad01169d188b3eb29b992b17ca708e1db6af5e200f55bce0fe7ff5a8ca9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
07c459422631ffcb633f0eff59817c47

SHA1
d97d64f5f628ae437b0a8225b27a6fe727ee6c70

SHA256
3a9c5c880e3231627b67d4dfb117b73b63cc2aaf6ec1b2291eff0ef1bf7ac9a6

SHA512
b8a42dbf947de569aee9462fd093aa593f36700c83e54f707f17acd9335eb9ba6337d40c3743275809b11e73d699db6a725486da2887a37ef8d6a222d559e15c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e66205d8378e07fdcd7cf15007c2adf6

SHA1
58e50d8191e175e34cbabcf667b897a7ba1cd895

SHA256
6a4f0da22eb6eb4856d6b3f950659c87abdccf090c14098e95447fc9353d8daf

SHA512
f72f388aa73e7ca33d5f6087a2c286c414ca88ca3d7d9d91af505ac6312a067a38877930eed1b78c239302689d01a76257e55860951ab888b49e50c32868fd70

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6d25066c7478b6fcc5380d13f652d9df

SHA1
f939aa10c1d25db962078b5682c05b335570dd7d

SHA256
75b815c5b3502c3227e6ff80a395deea519e091a6b731bc42c4940f30ab1e39a

SHA512
8a7e4a4531553b440cb114c386dbca5c4f9f10e220d2a24cc813873bbbb668ef8e3e6649869c51640c250603298dabba6992ba52902b017cedf9b341ab1a7f86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1fa11b096d0bfa3a7f044eba0d91fa3a

SHA1
a1dfef47dd0a979a1fab378059688219d5a7772a

SHA256
0854de2057b2f49f5092c6c0f28745d006bf24d37c7caf361e6fa6c5e074283e

SHA512
25f2d7599045841b1585b88c5c679a4db6995d312bc7dcc36b75b3df95585a2199b1f072c855aea33b50e7733ba192d467c64372d088b3322d89969c2185668e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7a9ecb8afa22bd2ffef8b37cffb875b3

SHA1
50d7c863cbefad40ee07f6a9f6fd9dcb670439f7

SHA256
0819e5ed04e0127301faad3248e8585c7a54046b549e35491e4fc8c4dbcfaf3b

SHA512
c952fe0cc90f66d9295b238ffc584c2feb1db365e86050343db2c020398fb26e9ab415d1fa53be6cb0be33980f60b39fc9102cdae4e420a043f6f88df6a13237

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
48b4c1fc617c6e2436f2bc814948621c

SHA1
6d98bdaa8a840048acfe7c373c547df962bc465a

SHA256
64a0d2af83f9a56ee89da66d7d4840a0cda88d704e7a4ab2a37c58a202e586e9

SHA512
5636a6b907ca33e167e08207ebee9419cfd26ccef2faa9ef5ff22d697f7818b18ede91e24e8e38d134da56ade179fd24879081265bb7f270c50b8f35293c7ab9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
76ab9d616c5fc37292d553ea5a1d5d7e

SHA1
29391941e12c19773faded9157d28cc11449e436

SHA256
9acc6c8ded765948d53e2e499f04c9650348f0acfe5a0951d04bc69e75398364

SHA512
0d0146d4bbee4f7953abbfc3aade1377c9f01d4fa032fc974edaf512fa31415b9b614e3e48226c0056c976fb2d103d9990e5460339005764a000dd1cc977747c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f213f8ad5269c2578e900c9c949c0436

SHA1
2206df0dcb6ea34b565c9a5a8228e2dead404d37

SHA256
48e0d20dba5cf3bbb8f2b91872a70e64cec532367c332efc02155c9e834aa151

SHA512
99fd4ec6f48d9f6c2b120cc339bd55062ec2d80783d4cf7771fa207418352e437f7e5c26e7ae141322328c447bf6ef434d4a10d4c6b2bdf728b31ac3793aaa28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
00495bb44cfce574aef0cc0538a35f94

SHA1
4be4d7a6e13fe06d08b88e5160b930aeb2da51b2

SHA256
1dab6bd407e10bc74d6ffd61b90502665782709f3d2105e774b31f2f2c7bd84c

SHA512
67977c8f6a1e6d1a54c125cc6988dfe7ed7d7bf5386f996fd8b8e1e1f4c2972ba6b96acdc65254cc70a931ff82bcd918ef64d2bb2686bd1da11bba0e15286db2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
eb4e45abf44a7857e011f67846068741

SHA1
259251f36c702028fdbdf15130e8f9926e2b0cd3

SHA256
df7a8bc76591a78729df45be168721a755d73db8c0757eef8ba81b883df0974c

SHA512
ca24dd9e8a2c766e68a08ed88e71727b3a2b36f9c43f2e21f46286ec89098d694529b9139b806f5983e7706abb516a7ea93d7ada13ebeb62ed862a0f6a408d8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3d870bd8870139f31bf44b244eaafd61

SHA1
0c63aeaefdacd5b11b1f18b1e3ff06222959ff4b

SHA256
12428775e1725cc35b8fee373ed09c6d3f39ca5776cf4b68c83a5d7936db75d9

SHA512
0a83dc98511474ee7d5acdb7d45b7a9e9fded6e114b108a137502f713297270e0a2650883156f1d8c75b4f12b53e860c67b3d14187a7cfb3f3f4739984964454

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2b98865a8681afe00ab1070d2b307637

SHA1
19efe210556c85551fab5accca7bcebe105f3a5a

SHA256
078a21fd9be6f7a0eb85522ee531fdbb891baa357756a3621835aeec7424cc1a

SHA512
9b0ddecaaa4725968270dd4d8661f54fd7d7eb8a6f9b9dae8025d2df5eb6ef79104938e95f880bb8b585e2c2fb3b84edf2d121bd66f807d1e701c56bc1c5bf06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7bd3045583217cfe7191822dcc4dd771

SHA1
ae06e84d8036c2053f8c8b9dffd3fd47c0acbe98

SHA256
634359c3774a64d5796c5c60273df07676b9e36e536cc9184b4f147c859f88f0

SHA512
7c0046d1bd9d135805c8a6322ee9ff28f7f2638defe84004c87ccedceb2dfce45b73dac3d5d4682dbdbfbea60cc4ac6aaf69f00f37ae91a6012d9f88079bae4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
178c62712702df043416b1cc3ca1a791

SHA1
dfc52141233458b62119a9ff8047ab8d612507ba

SHA256
01cc2a37913345d8c7ebaf9662045da5371878c06ca0140ea848bce378bb297e

SHA512
db4f0402e35e560c662ccdde1c26a8af97387424b0b08dd28764b5dc5dac2038763263afb178d8d290e7fdd1e226a085939eaafbf7e41f7cb3920976962e2e6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
9eb41635e3bd361a0779ecc8a93ff8f3

SHA1
1ea80c43b56b82faf439e9a7a9246f6c4a025796

SHA256
7dc52458c72e674a884166ea1a802610011a4860029d4455ffd9262cff4eb4ad

SHA512
9f22cefe993803f4ae8b4b6f49ca3790ef2854c7632509c0d0b8ef7130605c8d533a96154da150f3e2056f74430c4cb6585e406aa9999e9a04afecde26189819

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0e8f69b6c7eaad9cf11535828651b0d5

SHA1
455d088d538141711a8f9bf14a3594de6d0c449a

SHA256
5f5b03d55daae66a0cc1d45d07e09d597cbafc01fe32af4db8fcff24a20c6dfc

SHA512
1a7f48c244d34a8f110fa680c16e0ce89e522e9133e45cf976bdc477ad3c7a0dae1c1b2104cc823c342d39f06699fc903db64c1decff74ef4c830d6ff411ebad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
da04576ab5b1b3d7fa696cf098e16810

SHA1
acbdeb455c2c72cc8101fa6911c0f8f112e77de9

SHA256
98ded94e60aa8fcc8f61b45fbaa04f6e7991049baa0f036ea98c7d6cfab7717f

SHA512
681a7e72d7c89b51c54be1c4d0d919ab1ae65437e9f15a6eea263ccda538ba17c40a5eed5e51c55d1b56b5794f1b56777c5b3ed738fc0a54d4e541cd263e4051

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
de9ef87185fffc704b5e2def9d806fe9

SHA1
14042fb4cce60cef3f8de601bc8d23277e623933

SHA256
a1252069a59e48c695c51cef653b5304e6a00b69ca5b0ae9e9a5c000e4b9d36a

SHA512
d4637f24c7e37df92d8d8133bc4cee010ab642cb64198646044b28e9120433a9c4748e485758226e93d0094be866bf01a4fa74a231049620a11aa5711d29f4de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
fe5a59205a30e5644d33f49c99295450

SHA1
af45420a619b6f174d8d5d5b5174289f25ba37b4

SHA256
0f13a935e3a45a2d86883c304bb018f6ab891d23fce347e649e4e07d0c9bd56c

SHA512
af10075f2c2281fc872e15a4a35956b142c14812c38d00b54aab1a8fb5d1f0e0a5fd56a4b1aeaf3bee3744247c024f56f1932785cb8d6cbd8512544c7b6015cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
73cc1e954eae58dabc3e4e43dd6ac299

SHA1
d0d2edf08acb5b532580070d2d9724c72ea0513c

SHA256
61e38fb24c3bc28e9c90e108e60fc34123486638cf69bc75bcb83a4e27134a0b

SHA512
d6361321ac2384e0071b3327ec75c7128721ad189db7cbefff24b665dbc9f34692db783df2fc8503be9af6175e34a16edfb8436e0855ec95edf3adb39e7ad685

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
eda17a2bd6d93178989caaf10418a9df

SHA1
bf97d48085415beab2677e63f18043396bd58d6d

SHA256
2a00a1713fdff479ab0a9d85f0a3ea96cab39a4ace29ca944e3d1021950f22bf

SHA512
42f84514000660870e1927157580e5f611f7ba229ac2147f0accb13a2bb06376316a9d458639bc63491cbe07465855bbc2581f0aafef6ac9b34cba9cc29843f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a02619b34b3f46cb11794bce3bab6fc2

SHA1
a8fef3b3644f2432a4cf69c76a61838aa63a2ca8

SHA256
0b2862e06aa6e18c2519f202f364b9eade6f290023cb1d4cf6bff4ee5b8b24f7

SHA512
324283b283a43fc6d971ebd041a41fd3ce907b9d9038faea6d50ea1f58c7b203f0eb8c917de680c399d3c5fa100ebca92bdc6bb77ef4afbba7cb5dcdb0d19d3d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9b02a9f2aee567b856671c4ba1dd6c76

SHA1
d55c057ec64b0459d4bf0107b5f19190b6e7c9d4

SHA256
15b1fc094849ff5564db793d6e8ca9278ac5f51c3c8e1821fb00c6b7824a5e63

SHA512
dd35002fd9c4e4f860f44fa05dc182fb51efa31796b8cf9fcb5d9739b0b5db637613bcc61a46b93211274b1ef310b24b6c468b17422853befe181fd7294db7f3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
aedd741802bfdcd8d14b5176d0b8ec82

SHA1
ef37c2c65adf12cf2558dfc487f906629c024e69

SHA256
1207c0feebdd2e31edaf0fb436f0c57e6bbe250ce1264a9be7d0f3345c1daefd

SHA512
bdb646879c8369db9a3833db24e9a5a39076b5877a8fde6aac17cb0c1568ad6d2e6be346d3ab0bf46cd382eb5332e5de159dfd0290463e0de9c6cb15bc6e7d29

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6ff518a96bef1457e76e28671db28449

SHA1
a4ea243cfcce3466ec9f4f805f14b69ba922fd03

SHA256
d971d6f1766c7a56ab2bf29f1affdc5505e8c254a82c76c31c347daf942909bf

SHA512
0cfcaaf5937009dd29496ec1b028d0d6550baf6779180f230f22f28517276d38db0b0bfa7389226354d3161a2628de0de407a8b916c234ff76db173697175841

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
133b8810af320f698a341dfc50b79c02

SHA1
633a19a7fec593b0d620dc3c99cd96aa09a1a01a

SHA256
a0dbc20965043c785da2f81acc03a83fa47e594dcc65140b7a7e10f5250bb176

SHA512
d04c175b3abe31899281bdebe9dc81cc499247b7cb472f83c15c917ebdf37c6451d3808731ec35b7e804a4a83bb98120a61b510bd987cad873b40021125f6b03

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c59f5029d45d4e78ad3b9b4e305ad5c5

SHA1
606c090b1a23146ce9de47048caf769c6a7bebba

SHA256
ecea7404e7e688fc6fb12a33381cddbd9b4af927bbec1f009985906186f4882c

SHA512
41043e692ad6d7f5b79df5b6552a28d92e10b455fc001247ce0eb3eb8a31a8fbd4d1aaaa9fbc0696a11593c5d8838446346fd0ec25853c18643f1786e9c8bcfc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a91c5444e37cae3fad45844799d0a231

SHA1
2782d2d45f9a1adddcadbe738d273dde3608db7d

SHA256
85cb4328f392e4d3185fc216743ca1847a46927f04c7d8a2b6a5baee6d492e65

SHA512
06d5079ec522c876f90be646c34c93e67b0477a24fff05a59310841fbd66debf12e87e30b957dc4cbd96a4ae5e44dee3aa7c9245b008a3a6807de75ce6449e43

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
43cd63fec994fc664a61321dbdaa1ed9

SHA1
01d2088f3d0d7eb54b213a853929cff60490d75b

SHA256
59a30a137d1592a1fd6d9492d01c015c59118acbc74e35e8e0ffb2765e229929

SHA512
a0430e41caef388868d794c3c88785a6c055dc90ba4aba09ede3cc4b3939216893375aef53e4e547e10ee508fcadc655a844ef95060b067467e7b5731678581a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
016df6a53bc08b894cbe6871b66f4f4a

SHA1
2d54d0638691df0eaf9922de9e0e0bb63421040c

SHA256
5024e683746dd19f7bb6f053aae2f485c60ef7040cfeb59af98cf7348b113fcc

SHA512
01102af6e5972a81d66ab5eeb586e59762e6afb3d089c259737c4fe05bb2962ae661cc86a8c1242c121d55c44334c66efdeff0681a8f2c5a1b7a98cc89ed3e0b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
94be3fdf203489b782a9141f6741245c

SHA1
89221928356cebfc7dcd82c45962e418dc4b14c1

SHA256
a27048f5a4d50a964c995cd349ec1e7a003c483d0054e18ef68fd720234fc40c

SHA512
329ae2326480e043798420069ec96f94380d29fb486d6837a113683a24cb3d4d061e618fd700e19ae99dfd2cdc581ad2c6011c8083635956549d6bd8ad21131d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
34e80cf9642342052000eba1abc057e1

SHA1
1c618dab9f60b0db3352f6459a2ad96232de0875

SHA256
915f14d61800d16ab6c1fb5377a7b3fca9d6b556f4703c54fa5c88af09bcf2f5

SHA512
333538a75350d73c660af8a11b9f5294cd590c28039c92ea17cc0b524e3b0dbf964bec7b95555aa08658fc4149e8f3358d9761d6fdbb27e981f1efc69cf92bb7

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a7741518d5caaf511986017c0dd04557

SHA1
a0c2665f05bff23630a8da5d31db2fb5fb3b6904

SHA256
8fe17be043b3d594a26f2a496f99aaea495e21464e5ce018e734f593806a3cf9

SHA512
abc4c8df27e34085cb8f35ace6ef1dec92eaf201bf7975361f346f04c860eb2b0662dcacb72f2980861daeac9483d4d5d16dc691db9ade0763e19cf328ecf578

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7e416c105b2b6152c0dd7f6ab50e641b

SHA1
33a9da7c68475474f53768583db9a778f7f55bd7

SHA256
052cdb45e1ad70b9a7c3bbab0cfe9fe69f94ae0961297bbd37746eb768278b80

SHA512
1b691e5b22940527b6f6f378d759c5956e2ca6f57ba8320a4b00b9ec74948b9e8268363e18fcc29e9696ce26ab8a6bad9baa45f2aee868adfd5a6d1d5ea45a37

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cb893b3a2cdd74be1810d7ed33bf61e5

SHA1
6208d34adf35ee536b6d3c6e47c7be89cdff8fe6

SHA256
a83eaf79dbafc0d0b6c4035d4446269c8dc8c294d8c0ec6e78c68a9f12f781a9

SHA512
400cc01d115af92c60d82fde0642413cc0de5e6f60ddeda73cd99adcd8dba6c09449a3b417bfe2275343be873dad1cfa85cd027ef4d3cb322fdc295e9bc0695f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4a0d51d8e15d4e5c84ca98b19ef6d84b

SHA1
4b2600583ec09572af20d9256036e89e1c83f73b

SHA256
c422a464aa2d6f7099b27a28a8610fc7b4f7c12cfbf5fd5a970f99311c49b71f

SHA512
73ef804584249b90c50b13749c09262655df0826256fb720b9c9885e566673f3f1ad10668ac020242cbc7088f7c455b24b279a8cc03e9595289c7f7ba00b89c9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
fa905ba99b88e1a5a56a546273767faa

SHA1
b2633cf3b7f06a920af3c20d010c77bad2c8ea85

SHA256
66e88c1123947647a63eaff3f16d29ca431e62d7f833a01ef83829ddcb6fdbf3

SHA512
31bace99e926111d6f6d57f7cfe0d720249555de1545caf49a46aa5ced10bdf49fa034f98f7a43974efe9daeb7f32d638cc25ff7b74f23a5a5d254fa5710415e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e8b103406ab8cbc0d5fcdc5f27d23ad3

SHA1
ce797a11defbbc6f7ce1ddace0e98c2163fa41bd

SHA256
f526c47221e2b9e2bac3e5c75cccc196c7a4623ab5d68ac8455ca54cf5224be5

SHA512
aac215619be29084170df66ffd07bb3bb0e4504e5a102bf40e07ff9b5c597db6a4ecd4306b2c56f030549482fbb64b4c01ff5799cdb316fee85f15d4a29aad37

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a20aa0d38d318729cffa55e1fb4c2b23

SHA1
c2b2451c3407536c4b5698f2bb42471dc176d597

SHA256
8535ba7bc69d932d4ea8fac122a278f411fa9ead5bb7401baa3668e4d73db716

SHA512
0652f746c92dafe152359b23e15afc09ff20a2a32dedbdb433d3a053772ef45132695b7a6ef3e19b112e4b82e5beed2ad826dfc2704bd619496ea4ba370b5fe2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
63fb2ec9653afb05a182caa53919fe99

SHA1
c474fc75036fe467bdf034a244a57cf8c80564b7

SHA256
9f7bb7f7abf56500463f543c923492865e8fc88748cc60b8e3377581dd54f422

SHA512
853934274bbd846e28b288174bbbaa6cac016ea4b2b2e0fc479675c0098b7264c465854737e13407676b987eb9ba6777a250bb890491f922a3b8ce420b21944c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6345d307a537e37e1d12e825f98344eb

SHA1
b8e46eda82c5c0c64cd0adc24413958f01418b4b

SHA256
21dc08d5a5094eb3167bd33bed4d9d365f400a069a9fa1a2186fee17dc5a65a5

SHA512
a878e6e8d06e5783e67dc9af68583f0c967eaeece162092b194059793fb5f75881c02f7f0ee0046972910802e3308d7c5c8fdd9e40cac0b55ea362c3f8037d51

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
040514833879b68f591481d59153c28f

SHA1
6112778e3571f92873cfd17c92e07e70f2163365

SHA256
6e11b581bfc232d48cf76b2678cfa11409b000fa1ae2d825d81657cd2acfdf9d

SHA512
296266a10aafd14c13b85b7ab9afa1ae31f4515350b03f078a39ff9c6fd8ea9c03e43256fc0dc9064419c1305d998382624e586efb6fc28f4f1f43a90cdce5f2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0356b9a472542aa07f9d08d0e90673ce

SHA1
71544b78309af10da9e075fe4ccb027c38f642fc

SHA256
b8096757c97eb1b9f36e8abe062842ef3463a2aef30743cb59db3e3b39289862

SHA512
8fd0fe45aed6edf8170c4084d8bb1281d9fe562820e4da8ecfc4d81de67504db72f8f754d69b680009fcaaf6ab81f7894d87976bc77a3ffadf751fd801b303eb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
01f0baf4a47889fb336ea6349f9bfb17

SHA1
43d3920932c599ea327d77b61c8037e356d1d80f

SHA256
6358a3bfc8c68fbfdca339b5f697c0fa2b208493ed67022b5daba693d438e6c3

SHA512
67967d5a6b37dc3dcb4d51c37133c86a4aa4e1675240127933a94ca444477daa47580bd67fb432d328bdf868fae4f7390e1d78328c4d3c8e85fe49e50961e95f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bb0f31dd403bc4b27b5027e8a60b93f0

SHA1
b3b80c4a25fb181ea2dceab21779056d9f1c2318

SHA256
3a77df039af1619c293fff4f9adde5b62848ec72bf4cb7dc3c2a8d8c1aa0bc4e

SHA512
8e91840f94d1fafd82208a3037ebe8de73f7c5a39541b1633191974f2296eedce9677008b9af578f4bffe2260beb02e08dc067592dffee72990629bda9408d98

Download Submit
memory/376-115-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/620-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/620-31-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/620-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1208-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1208-594-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1740-10-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1740-113-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1740-33-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1740-0-0x0000000003C20000-0x0000000003C87000-memory.dmp

Filesize
412KB

Download
memory/1740-5-0x0000000003C20000-0x0000000003C87000-memory.dmp

Filesize
412KB

Download
memory/1784-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1784-583-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2108-162-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2108-445-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2208-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2208-587-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2248-592-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2248-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2728-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2728-588-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2876-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2876-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2992-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2992-85-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/2992-74-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/2992-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2992-80-0x0000000001AC0000-0x0000000001B20000-memory.dmp

Filesize
384KB

Download
memory/3020-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3020-483-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3256-238-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3256-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3368-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3368-20-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3368-11-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/3368-116-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3616-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3616-593-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3660-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3660-58-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3660-52-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3660-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3828-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3828-90-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3828-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3956-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3956-47-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3956-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3956-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3956-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4060-586-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4060-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4060-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4256-250-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4256-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4348-126-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4404-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4404-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4884-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4884-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4884-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4884-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download