8d5b53acef88195c4ed809616e4f2ba4f32f96599b035dba7507d2573d833032

Analysis

max time kernel
88s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
Size

24.3MB
MD5

e382ee8cd94b4b4453228ffaf9fcfdd9
SHA1

14b1c4c5e30740aa3252e90c98990858dcbff70e
SHA256

8d5b53acef88195c4ed809616e4f2ba4f32f96599b035dba7507d2573d833032
SHA512

670ccc098f9beb5896f72665b05cefb50945aed63bb63755d1fb3b7c726af0fff5916fcf274ea1566e4c68b5879dce66dc17f5cbece04742df74b87a4e89e809
SSDEEP

196608:aP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018/:aPboGX8a/jWWu3cI2D/cWcls1e

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3048	alg.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
2620	fxssvc.exe
4024	elevation_service.exe
4684	elevation_service.exe
1600	maintenanceservice.exe
316	msdtc.exe
440	OSE.EXE
400	PerceptionSimulationService.exe
4012	perfhost.exe
3580	locator.exe
1412	SensorDataService.exe
4676	snmptrap.exe
2148	spectrum.exe
1480	ssh-agent.exe
4664	TieringEngineService.exe
5004	AgentService.exe
2172	vds.exe
1272	vssvc.exe
3864	wbengine.exe
3332	WmiApSrv.exe
4820	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\70b7bb94293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e409a878bdb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b92d078bdb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000139f5f79bdb7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7c74779bdb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011f81b7abdb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4399b79bdb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000106daa78bdb7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2620	fxssvc.exe
Token: SeRestorePrivilege	4664	TieringEngineService.exe
Token: SeManageVolumePrivilege	4664	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5004	AgentService.exe
Token: SeBackupPrivilege	1272	vssvc.exe
Token: SeRestorePrivilege	1272	vssvc.exe
Token: SeAuditPrivilege	1272	vssvc.exe
Token: SeBackupPrivilege	3864	wbengine.exe
Token: SeRestorePrivilege	3864	wbengine.exe
Token: SeSecurityPrivilege	3864	wbengine.exe
Token: 33	4820	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4820	SearchIndexer.exe
Token: SeDebugPrivilege	232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	232	2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 5412	4820	SearchIndexer.exe	118
PID 4820 wrote to memory of 5412	4820	SearchIndexer.exe	118
PID 4820 wrote to memory of 5488	4820	SearchIndexer.exe	119
PID 4820 wrote to memory of 5488	4820	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_e382ee8cd94b4b4453228ffaf9fcfdd9_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3532

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:316

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:440

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1412

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2148

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2456

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a8145e580b47cf6bd614d97e98021283

SHA1
113cc0630956ddcb04248279cf40914deaf99e6b

SHA256
ff268fe548fd4682b501d5f2f01279ac2e658b5ef680c68ec0c9c5fe38c0385c

SHA512
cf7c1441e028913708e00edd4ff4ee4b9438e293bed73a25dfe3236b4a982e1d5a4ea6b87e5102398b6719da2c4b4b9cfa0a322733d285af918d6de8c708e816

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
0f227d214f6fd37979d1a1619a45736a

SHA1
c4362061042aca7cd43aab88e5bab90f77e54a57

SHA256
ab4d91455779030c58b2a63f4554ab4de8db9925c5b923bca25041d2de6e5bb6

SHA512
b13a0bf1c8083f7d674c0b08411ca895ee9cb031ef61d8a03df32890bbc11cab101eea679e9e3e787170e1cb015bbd0776079945409bad4ac4ff8e612f27c71f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
623b253620838c48c6e687caa286449a

SHA1
3b45c0541bafac04174ccc0a68ed137f89be9ae1

SHA256
648563b46a6895bdee472356be1ef7447390aca138a4b2a9e51b71366e4c64b6

SHA512
17262ecc9127c38eaf74d590f95899f22f15bdd9da72ac6bd09e55268e594324c24a1347feb61c6636625cd6bfd9b19013d83dded8654f997a9a36a2e2f4ac3b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5cda6a3ae2c35c365b3a9e64f250922f

SHA1
8c3045e66513e04051ca8d8121957dedd9eed80d

SHA256
ecf62014a3b71bcbbaa9fbb40dc5b759ecfda29af439f14d19c7cc7de0ba308b

SHA512
59ce74bc999fdc74d4d5b74ddccf6d3e4676a4c6a8ff78cd09f40c85f3acf66ff92dd86e848f427e949e1d42e31307107b09737dec26fb8c850fd2127d47d18b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
165fd2eb61b57b999805c64579b1629a

SHA1
7d8c129873ba62d47d3a8f35da20bf1adbbd4b6f

SHA256
270e9cc286a8981940fe99e345e0b6ee9e643ad98a38858883e7d76c3a7dc8d4

SHA512
7a0cf0ade5a14113ed34ad53edb86a5832640c7f82e920f2c7ee818b7a386172b8c54943f2343ff5708bb92da7f45fbd78a316f3630494bb0b0c907138fc1ed4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
c9821abf57cc086df7fbbe8715763ed2

SHA1
6886e7349d097ede0c21eec07286bebc86454fd2

SHA256
fabe4a19310cc59e0559a073d0b84ec3d80a526e384402921527a9c74cfd8f1d

SHA512
cbf7e2b04d511a9d273c52471949b94adc18f13f0549def21903ae39015a6efbf4ba304c110f5d77176ed34fa4b3f542df4b5b93f93886542aeb1c6340abafef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
6af1643eb7a7415feddfb9c030152d9c

SHA1
9b0cffbc8b144db5baefb791a9a17e8616a79fe3

SHA256
a693dfbd4effdb73dfe1b89ef9fe74036e1c236d235f560ec1704d612810cee9

SHA512
82f16d5d0c112329ea67bc2f67b14d7dc531a9cd31860c0752417ee181b4360e3b765bcd0c00f4e70df005640c2eef4e445c7e3bb6e47696d5ebfa886febbcf8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
2.1MB

MD5
629f6c6cbc808d190ed399d252523ebf

SHA1
07c751c5b8b544ffad9f96e13438063f80d00108

SHA256
ba5db1063e5e87f04f358a59e0a84fb33b84644ed64ba3631e3075b08b81da47

SHA512
ffe65702fe3dab55613eb93ff082363ccee58c8019f1eb4b4ee2cd6d31beddb6156a1be5d56790902a6988af91eb0ef3405b9efb33abe688b3d4fffd7b894e08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
d883936fc86f5ec7e80bbc4330b3f43e

SHA1
71fc744530e0e8309b21b2270b819a7726e1dc60

SHA256
73703eb9073450115d90d1bdc4fa463dbde5a9b5eec902ff2fbdcfa7a4c393f0

SHA512
60b99859bc1e965818f755ad8ec089c77c7bd24cd545cdf00ee4d6430feaec6d689cf83f0287a6ce64fcc3584c43791966ca521b4d4d967c14ff4254b6add553

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
5.4MB

MD5
f9919de75edc480751413562a056ba7d

SHA1
a164ddb78094ee809f5d42fc30837a314492f0fe

SHA256
792c9245ef99087c7af09ab7983834f403d8ae6fbfe5c553693d2188cdf41671

SHA512
b8d400cd4e89611f6b37dc2cc08eab3d69cf2e1b0d6b0dc6c679264b3802a80c2a55711b61623cbe4264621e78b1e16347d6256786f5ab91b49e9b452271f6bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1a15765e4ab760c9cf5054611ef5d0c8

SHA1
803d881dc2821ef6e2c171036d04fc63393c0f04

SHA256
eb9ad56b89dd9474c4dc3826761e015bf1058fd26fe5fe8bcd5b269d0ee54236

SHA512
66b58cf7a0645c2bfbc6552df820c91be0125e25914cdda7d78386874a93a401f4c3bd50396f492eb7403c6968f5e14e29a280f52841c2620648cd497d05533b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fa2755b64581e15855e8903312409987

SHA1
257d7637ee0709f5be4abbd976b9d6fbe1a9c203

SHA256
9b87b4e99bba7281bc4070cd5e979705a04b9405e2cc2323dece70ad1cebdf90

SHA512
5e3c9553db2d557df7d907fbebb21812b584047c2986266b485128279d944e3523f2f6724faa122943635b861baf28996654dedfcad5dd1efc81d5f5c3075fe2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
da0ccac4b49ec9b05818c938d9c51b0f

SHA1
c59fd9012618e5f05e8c5630eaf44a42324ca302

SHA256
9d3f26f43b0cdc75fbe4336ddb199b8096192c80a7558a3f90620b670edbe7f1

SHA512
6f78bf15d35daf1ad9db3b7907faa23cc9cfdd944c8317017518036024fd23254896140331b7b825c1b5e65ab263ffd4c7c1b0e5c60601dc43c61b9a3ae071ef

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
448KB

MD5
1093e45f2465e12f811cb1a9e9a4b4b4

SHA1
e076ece5b15c60baeec9dfe9d36a74a06870b60b

SHA256
f1f69b999ad7c5b2870c18fb0cc193f9bbd22caacc95649a25cd426c8001dfe9

SHA512
e6919799429e41947c64015ea726cb909f80685ff2cd4ce67eee8246e7759d69e79f936f17e85973f9e40b2a0d0bc5fe402b5981aa73f2e1ed3adb5551429c17

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
4.3MB

MD5
1a11cc743bbd41de90ad855937d7cadd

SHA1
b4dee4a616beddaba4e2c97f0b5d11119d4e311f

SHA256
6bbe7e44dc8005c50b34e67bb912b5d418b99336ac579c16ea765950361362b9

SHA512
b79dd5adb9f263aff53cadb3f77bfd36458991bec021faeef8619ff9f8acda8320df1cfabeb7bd6ef1f514ce52c6bc67a655ef842efe6f36a48073f2bea6aea4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
2.4MB

MD5
a4928e30688a8ebcd0fe4730c540817f

SHA1
4e002995ed49763867c8ac92ab9b01fc2ac19775

SHA256
98a541975cba53078ace650e01584e5d6c75e9d6197b2a29a990e1a8663eba55

SHA512
341cbdf5e9bfa175fee665e4e271df460449a0e6c0d7452482222f33ce6c44bb85dcba3cbee5d27026b7180ad52cb9004b335989adba21943e2ad64db1693223

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a5ebf3c50e337e2ed42323a15fe48ff5

SHA1
a03fbaf91631a92c8b49d1abe63b42c89ad71d27

SHA256
ad6c83265d1d1e710c84dd8c7def3785cf9a7982f380afc7f0ca421fa2240321

SHA512
48aa1df89b2500140b3dad41ba561e4556309d62d0513b5fbe59a21b575b5dd8a170b60255c902c1abf3afbc23fdf5f383442ec502a97611138daf7331abf655

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
eae7adf66f982fc4d0b0930a5f2eef61

SHA1
510990f38102f0bd1857d54a68474c315f0880cf

SHA256
71f0dd76bfb53632b19fd3bca3d6f58e7784217feace926ff1aafa0daa6f6061

SHA512
30544a39a05d121139227af7b8ca708187762425e95d62e81a085373320118d43ac62d8fb9dd80a58883c8f787986ad8dc39f7e92ccdf1caa33ab003ffa9ac2a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fa5d196bb4d0fdb3a6c598d78027a3e3

SHA1
0e8ac4445948894b15a3b15ba7772a1e9be6a729

SHA256
cebba1333f6b8d1fc52f21afb5464a96ee515881268e0e75855f7690edcce541

SHA512
5704f2f2bbfac5e0fe70c9ee6346c419de80426b7d723c6c47e3e1c0a836bc886d2709258f2fbeb3928b641cf38e1d06eb04b56aadd553b547fdbcf98d14ccd5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
384KB

MD5
82260aa1b21757eb29107ffd112ab09b

SHA1
8a60642d4d44c4a22e3f171c3dc73d61947c3797

SHA256
345ea64dfe40d38582c5e76f50d67606575eb67edf85348f569c4f4f55dd1e5e

SHA512
d12ef9202173b25beb2263582db4208d9ed765ee55e6d76ff834dd374216f6d129c72fca257f5f882e9f509a1fa2a9e6f6f0a6304578d455561d435d96c51d6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
c3407332e189fbca472f21c8a4f8d6c3

SHA1
15d157ad579b2969fc3f284cdd8aecfbfd9a57d3

SHA256
5560fff1ce271ea3f0a3f3342b4e53e3c9ee805522eb62aa65ce05b56db8fcd4

SHA512
c6786b0919ace87aecc2f595e48ab688dc1552fca6d8c0c385169a1d51aff2e79a533474c5608964d0903bab4300544e0ec4ed22b4314f99b92a7084658d0cb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
384KB

MD5
ef6634612d107126dbd489e85a8206ed

SHA1
d8545acc2167b9b8d6cf589eea3a42b23a2c4abf

SHA256
52ad77cd5875678bc73442be0c025e39f542e7f88f5adb0904b22aaf3bccdac5

SHA512
c7687c6f9b3e4d96d47a3d87cbef56c5895fe8f36ed51f69fb1f62b559a0c0e1df0caf46d5e096a26c423ecc19c2c83f7e556593a93c7d8f3bcbbbb16637ca46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
384KB

MD5
ba673773d22e77f38c5de6f04081b671

SHA1
179dc66dc1b024ea58a0b647cf8c964be6b2ea2a

SHA256
cdf33299c0f938e5fd6f5748a907e026e7a95a0daa41e3779f05eefc06f99863

SHA512
26e71803cf51db10a4d1ff33ffdc7c83f5ea1a1173ad8cb06ec407450a4a1b7271c0ddf3e5e64ebcb12639c3acaf23bbdcb7643dd3277dd18e3cdcdd5e4490c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
7787f54afa8f56d9e725c449d8291739

SHA1
0350a324c2e7165f6354bf7e5580e28ffe3d78ea

SHA256
f18febb191bbe359eb5aabe72a79d0f3a7f48cca8cd370a5ab28861d49f06984

SHA512
d54421f6acb4fad6e6f48f6ff1708311d4e8e8a2ba3cd8d9e05ccca8b8e0ba7d895ba418ede0deedb8a22c528f69bcdc057960b00aab5222a2836ff65d7612b6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
448KB

MD5
0109efacb171812537cace3c4146488e

SHA1
af0aa995cf383e5f8eb2005fea29a2fb0ac5224b

SHA256
1c60cc644566a1eaf9c9dc2376c1f3f4f03a1e8943d17d0c835f878290daa17e

SHA512
a8eb05bb4570c68417763b6d90ecc3f279db49dacd935386ac319509c3adedcc041eef6b365cdaf1f6ef6c0951cbdcf463fdbe2c2f6e1305699268464cc705a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
d0c7dd8a3990c88ff1556f490a0551b9

SHA1
5fb234007cee2a9fba726256a661e9b3eb9638ad

SHA256
33d93c200a4ae716ff15b715524273b0c664e5f7b8653aa79bd70712f0f78e6e

SHA512
f5c14a56f89f1e1b238c007002eddaf6e07674465d36faf85d7a5b85f80e697d771826cbccf58a4ee857ab3e233c740f72158abe73601ec78ea76145dd5cf788

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
30f74df5d9a6d8bb77bbde0747b90498

SHA1
3b02c045710094faef4516aac8e06aebc28399af

SHA256
30c0ffa93727ee9ab444a8ffa0f7cab1ed20a46f74b9dc7ee0276b1792f814c4

SHA512
3fc82fdc649b8ab6ba2ee33a422775332572346ed7ff5b7e930ae38fdf0216aed56682af68d6bbe59570b5bd99c7f48aaebaac033c67eb82e19d647b9cb68f61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
24008abc55e6c7830dcf6e9580c9025b

SHA1
e8d4a86e605630ce0acd4b3a0cdb887da32c6ea4

SHA256
a23ad5489c8cec423bbcd6a50330b9e8b193309c454f5cea3d9a2fce8fc6b2d1

SHA512
0cb0886b74f307eda26c709f453a8507bb101c7670d4a377f5eb85bd3848ab7189c3230a09a155149b31cd8b2f1fdc89e8329779b20f5b8daf3b8425702ec50e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
51f0685749dd10eddd30fbf931a59575

SHA1
7cda6471c2d28e03afbbcdbcd989882839cbdfa1

SHA256
0a1a22df4722e6767ba15a6100f972d7b883192f7917a63a8690af45bb7247b6

SHA512
ef653f12b1b04b9d60def630e263b3414c7efb415faf277c6c6db2f6fd0ad8efd6f0b9b81259c10cf15fe8feffac98d5eb5dab43b37d0dd01bcd9d03add2ded9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
2e41d55efb4fb8492665d82b1f2a2885

SHA1
ed062a8925e947bf16a22bd3c6257ad419e1c848

SHA256
cfd132e8134a2280b27b29b70f490dbe53367d2d7bb728c4f5cbbb2f04cbaccf

SHA512
0f647b5e3628ea439e6b2278ed89c8e9ad78bbb16a7a6b1682309704c9082242341b17d94263ba9b95a6c762b68469e6d080d8de7d1bc1eadc7e9aca7bbe4074

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
06cd30590ab099be66f55eb077ebc8a7

SHA1
44518edb9f9efe89024eb6abb4b30341cd380b87

SHA256
290226ed7e3f79d46f2380d948ee26cd4ea904a3be466318fea3c45b44d2cb94

SHA512
41b5ba9ae8f596af73087f0fc6ae519ccfa0b5f7c10655b3204b63dc2474d7861d7802c49410bd75befa95a55200a5f46c81fe4cdb0ddcd5815000b98c3f3a60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
415e597449b956e2c00897b658dd3f0a

SHA1
3d00753fd9cb754deb268858a480d42f55050cec

SHA256
fa5a8ab714d030ff3507689e00b406fb6fef0f93f401b06fe2bb8ebd0c8bf1ef

SHA512
a82beda4d6cb67cbbd2f98c9dcf550935a4dd462a2dc422e5edc9541db0a550ca00a047dbcc6b9a8f5d12c6fd9d072d071436bf5846b88aed6ea90db6b75aedb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
e6ca0aa5684c121509f904a8bd470908

SHA1
5bfc4f9a6076c427bb3373b5f9a6d73048d4f57f

SHA256
7c15ad84aa36e90bd0a7fa34b938c3ad62628da6cb083680295f5e7910ea36b8

SHA512
2e59b03dd7353375213410088882a710de188ed9ac5e6e078d966d7c32cfe4039599e897082a7a389e65b0c76fd9d4d10d6be760ebce704f570dde33eb197419

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
512KB

MD5
6604d8ca67985cbd1518920cfc2746ed

SHA1
2d5905133e7327d42e07ce4c8e682e133679940e

SHA256
9be617f2e15b681029caff68bd34b66edbb20e0d3bf7d91ea7dc51154e287d22

SHA512
ab68b9de55263fce5767fd9b31c87c3eae10026abe291deb22d1744cc8f95a4930979ce433b9dc01ccbfd9c1400bec451ac642610374c83119da8b1a752f7d40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
13ec62f13ca0745f4bcaadaf041f3cf7

SHA1
f44ef86d6459191a9da323043d50a1a8658dee7e

SHA256
d04a32ac0a4ca2e9eb9aa414e00bafbd2e2923a674ed13bc6b8c4bc084621c24

SHA512
2402109130209468c0303b0b402af852c2af3c97db57d8b648f7af0d6c034dc66a82f53c7eb2602796b73b482712edfb3681a3302626f5586c853c96b6b91ea4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b61200370b6a06066f5422e80ff600a4

SHA1
b9cbea7d29067c661ca55a35d218488928f20365

SHA256
63a265415dc47cfcc4074ce0c09b6b209325783f915e94cb6f0960eb3e3cec37

SHA512
27677f488115c945c64dabe53d76d99f562b9cf7f998e24a596b5893e2364cb1411bfd9ead751dc1bdc48240c5b0cbd396dffd7c8342a7bbf9a61719cda68883

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
616e48e441b7f16c993f413558e1c7c4

SHA1
90baeb97c083a19d7d5a745f5c74e09ba37c8765

SHA256
ca87e9f2862fa3ca6fd94371940a6e11c8699fa60fbc5de46805b40d7f0199f5

SHA512
7666df7221fe3216ec6ebe7e842ed513a2ea071e21650c668e72f9cda5cee53d3068899dd8171b6470e8de67373438c3a6826771d682bed51ceab512c4a5f56d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
80f7801cce4d4db30dbaab608da8c339

SHA1
0f8b521cafdd39e09a5fe87fd7dd79a2b4b8fcb5

SHA256
e02e3a3a505b9ff4a06ae88b065a68f64f6a57493d7a027de4294c0c3964ab89

SHA512
e4b7f9d8b31f42fa90c0596749df78a3b843d88fe998046edbfae87187dbc8ab20c761f16f5a6839336f43fd7218de369aa2e6fd0940798ca11580d1655573c7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e410295f8c5be0667bccdb82e6469187

SHA1
c6817c1d694e33a9b2eb75d3a79b40b4571accd3

SHA256
e834ecd217bdeefe6b45716101d30247abccfb8a2b44cb9b0fd39327fae2032e

SHA512
952d668fc2f1e467cb816c60cc546858ad05761ce39bc87d36f43b66262394e91d7f10dec69efdc006fa9b7d89a10babf7ffd492feffdaa6e0a1f33bfd9f7a6f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
999edadf2e0ff892ca372aad428fb9fb

SHA1
438989ebaa4433eee1158229d21225693c686956

SHA256
37f86d62c7bc3592639cfd656bd632d79f3f8b3f46cb6ca4b308e9e7812a1905

SHA512
1873f8728f66de92dcdef5f01146f788ce6c76d530b5a9176ab217177bfd1e93b2ed5448f601739567c1cd85ae3d5a5b058647a58dc34dd9f02839969e8b9d18

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0bd02bfe6f33a2469a8db7b89f553a61

SHA1
f2cb192bcb5421c1544620c1517dc690edc4cff1

SHA256
13036b529939c0617c728f0441684ae73e3eed4873cd4767992947095db3d29f

SHA512
dc6ffb6ccfa59d882c7765c638e7e38a94ec2c18db2072bac3b6def0d831928c82a6e7ac894030feb8d08972fc6ccc2feec83cbd02eaba8e2890bf00a5cff456

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
530a7c9ce9b54694d5e2ae9a5adb9b51

SHA1
be90661c671c1b6d0127ed15ba1242761d49681a

SHA256
083ecf084588212c1ebde08969ffcd72b184a67bdbfe73451ad2dbd7bad88839

SHA512
8740b3b031a642bc885a26b5226d3ec755714822ddbdbb2a2e35c2bf6bf5a18f2eed221443c660009bcc8d0a75504b5fffafcf74e8caaf3e2db702358593d2af

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3457b76b36251bd69d6a3da59a7199b0

SHA1
d052daf0d432cadac94f7f403ee7ecad4e681da1

SHA256
c4a7410a25e700f33ab0dce01ec5dedefec14eb6ba26f68cda19dae5bfeeaeb8

SHA512
fa5e75873a5382adbc412803cdf6a5bf89901988d2e0debc2775621fe30bfe2746dc32a269a5468b465c6bd35aeb3704f9bdecff53d8cc344730a05ed18122ad

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c63ce53315a22dbb37bd5d012658fc8c

SHA1
3c96866fba27e23e39b2275f71b81f98e33eb549

SHA256
fb6207035d9c9f522c3ffa77e2e8d1f5f494eae2946be4130f3912bf0f319d42

SHA512
aae6865ea48055b3f0653b87e9acd9f74809cca40fbb7b1365df973200b23a91c701a832aebf75e0f32593ef75e7b8b17f57c79d3187a8bb096e6c118ccf0596

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
606182684a94a205e07d3f74c48ba4a2

SHA1
7f44a7bcd0399945e60dc6922843f67d65eff197

SHA256
4ce5d794326eefce0377f705aa33570fa67be4db260a11c8244fcd75361d19db

SHA512
bbf7ce7b6c98853770de25ce46f3e6c54b3d450920f84bcc0cb1a07c832c83ba389214082394b1813567a2bb6b3da5c80f6392e550c71fc68e4833c9f0a17a3b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
70cddcf158cfb63167543a135bce2afc

SHA1
2b5656794cd0818d12afef2a9885bcf945e5f9c4

SHA256
8eaa492739a51ff480dd431cc25631ba945aa355aac29541f1f179d7cdc8e68a

SHA512
ddaa5e51d618df0cdcf7c41e7f5055e988507c88d2bc0330ed2d56db1879d3cb5e32c58b5b780a151b0a000a188f339267c40e0c3eca56b58df7fca336c7540d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e2794ff1f0373308f70217aa0c919015

SHA1
3abaf51add11f645ee44392186d3d20ca5d0303f

SHA256
a40fb7015170fded464bb1499f84b9b484b4d3a651c9cc9c03ab05132b1c613c

SHA512
b3da8d18293041dff0adb159179a7c2f78bfca0224fa5dcfba984d8910ed8cc92afe8e6562243c2e3c5909f80cefadd22bbb56047e2e4827a625d8434fcef294

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
a0e88ea7d2fe4cdc5b9dda637149e012

SHA1
a79e68bb8b716916d23da054f0fb90fa6e322ca1

SHA256
6c0685bd59922d5f13d081e7b07ff05453e997d6ee90221a299bdcaa3e9dde51

SHA512
97dda38c86d4e213d76809b8e4ea158154ee508a90d1f5b6dc955f1722f6fbecfb6ba34feb87885923bbab56dffa8450037e369f260bcc13796904994d3d938b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f008842c9ea62301a3b3246507764f28

SHA1
0f832a083fdaafdb36677018c181aaa8e67f06ca

SHA256
31918c9ab9a4f3665a865aff8e53d74b4a6566d665cc98e20c6508f146ae27df

SHA512
e60c8d04d78fbcf3b7648f891e85575625c41f7ab454a4a9d966cdfe76d4cd5dbcdad3d31af1eb87e8140055177339797604807ca2427bcc58e1537a20cc4e5f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0baad4aaf380452b7378757b86920de3

SHA1
00d5ad363cb1d0c634599c442f8f3bd9ba8949db

SHA256
15958c7058ba3b3541d85465104b81cb0399d75adb5ed3008e929e297aff1a13

SHA512
1a475b117549e3c3e04d8e271519286f46377a4a7fa9732271438ac218e90c60e3026df2b060e3c2e50ee214e55d76003fb1eb67d06b66f14f7b955e7d031bda

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
a495c01cd0d67ecefa0b3a9d7c61b703

SHA1
dcb02a01b4264a459e9edf3f77f9ff468c4d1f19

SHA256
4ad117633a7b83df9b86e1271346cda70ac907bbeaec913b0e3b6e01d01a34c1

SHA512
a568025ea724624fb040fbf1935e798a47353ee9a89e9139ee851b4d3eab704f070a637e2bf2086c29610afa1b6daf2e6d6f6375e9b64f591ea6b72bbf4bc05e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
d193765d8da415287ce740238e1c2f9b

SHA1
61bca57e7126d1ae7a6726fba6ba37134eeb9c72

SHA256
66959c983927fc512a2a3bc2f1458f692bb37b60e362665bb3024179d16807af

SHA512
e0dd71eee5df929ee2b85f2e68c9113e96be11b696124b38da5d4e4ab47bf77630abcae789fa405d05a384d8bef07d71bb42512dafb148199e65106869cf6fff

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8ddb38a100e3f223f3a568df6f04b0d5

SHA1
33715e11bd0b24790157b6e22d3b770f26736d0d

SHA256
7d3451e7a833ba78e90ddf67c969b5e2b0a5c32b4304ba796a99e7833e05aa79

SHA512
b79cc07020802f97acfc7352324316452732dac509916eecad6eae9e932a2effca46847d44209d9ec0367f146b9a49f52db188a63b25c37c3aed8b1f83409c44

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
08d05f14d45f57980ef4aab2a20e289e

SHA1
06110aafde612a27c29e3e0583c07cf32f0a26fe

SHA256
fa9e825bba3d1372f8d4e0786f7608986602133e3616596f69dd9953f4b7f555

SHA512
07ab073656b6ce542cd6a408e68ee68883261c8cdd857e3545bd04edba51154e6d0867d6f91852580db03c105a55b68cd94ad83dd6f1f5984b3e11cf2b705632

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e5987afb211c01b3290c0607a0a08dd0

SHA1
ecf0b04fcaeffc6eb99da848d328712262295b35

SHA256
494ddebd0e5d7c0e9470598f52c107776ffed698b53bbbb65a8f5f4fde6f3b4f

SHA512
56f7dae576fec49abd5013fbdec7d1e73d1d1500f28d0c8a761143c2b30a682b708e9ac5168e09fb79c46fcccce6b95184e68e4f17187b8cb55a7a9e1ba2349f

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.4MB

MD5
3a95f0649ff25ebb7b496d4a0a46870c

SHA1
e4b4fe2e47846fdc1074a7c615ca231de4230207

SHA256
0f717e7f0efef90d1431e72d612d6fca3472895437c98eb4704e702e597ecefa

SHA512
9b2ddaeebfda3acd23645df87a4565af4fed3f57f0acfc47affdade547ad52a0a037d2a31792e5f8c1266f22ec376b5f1f5c8bd646ba59e776a9fe821d2d2ff7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
448KB

MD5
bc8457564e22b9e612ce8228e2101cff

SHA1
c62c3c3606a4306e80dd8719ae4921d2986112a5

SHA256
1282346ca63bd9b1a6bfb20fa58122e1f064b50254b760d8a4e5edce9d3b7421

SHA512
d4b5edaf4f66c4cfbe6d457e0d55d53c1e52d16b0d2f897dc75718ce06c50a7f7562c7e84028b1b4d79be7318e8b20f308c6f308f845d599bbba6e2bbca753ce

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
7909c4f42afda615adb29363253549d6

SHA1
70b96cf001677539c8b7e0b2e1eb8f41a2eff9ba

SHA256
4eb02459d4a0468bc5c4024c885e339808c0c5a1dd31a215b25c0cfb329beea3

SHA512
e8b6e6fcd05f7ec4200ce9b556201b4db406e897cc3e940d3df299559d25a96498a2ebae21dfc80ce82f81d0b2ff64a936f562208e4fbb8746dab5d43410e8a6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
aebad01437fa5bbf88180456f5234603

SHA1
abbe14a8804e24c401c3b3a5986c98abd10da628

SHA256
b01205455ba69258b7506ec028cdb663b6e7b6e2ae6180680c289e63ccd156e7

SHA512
3411994830c29ade17a565269134c1e07f0503ce1fd12c797d98ed6cad986836e3fd6e9e75e98e09102cd006ae9524b3bf983b51471da96345290cb11fd4e3c3

Download Submit
memory/232-0-0x0000000002230000-0x0000000002296000-memory.dmp

Filesize
408KB

Download
memory/232-5-0x0000000002230000-0x0000000002296000-memory.dmp

Filesize
408KB

Download
memory/232-58-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/232-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/316-219-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/316-88-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/316-87-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/400-122-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/440-120-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1272-478-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1272-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1412-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1412-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1412-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1480-190-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1600-85-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1600-80-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1600-82-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1600-78-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1600-72-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/1948-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1948-30-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1948-32-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2148-466-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2148-169-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2172-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2172-477-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2620-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2620-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2620-44-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2620-36-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2620-42-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/3048-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3048-124-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3048-17-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3048-19-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3332-515-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3332-263-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3580-135-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/3580-254-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/3864-514-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3864-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4012-242-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-125-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4024-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4024-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4024-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4024-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4664-202-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/4664-476-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/4676-404-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/4676-166-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/4684-200-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4684-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4684-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4684-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4820-516-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4820-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5004-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5004-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download