7549af74c3269668bc70236e7ea34636b093d9cdf90d90d0e02d8532dc26d4d8

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
Size

24.3MB
MD5

a78f8b566fcde9e686d6610f93054b67
SHA1

68d7e5c02f0eb4e0065af49d004ccbaad6054266
SHA256

7549af74c3269668bc70236e7ea34636b093d9cdf90d90d0e02d8532dc26d4d8
SHA512

2b8b559a21cb72a1987015c1621d83945f1be69957454aba3ae25f470d9990bcf32f8ec384fb5be8f57f03ec1df3795e75f9c376ef77c6918372ae08a1671657
SSDEEP

196608:AP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018n8d:APboGX8a/jWWu3cI2D/cWcls1Aq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2216	alg.exe
4744	DiagnosticsHub.StandardCollector.Service.exe
4600	fxssvc.exe
4520	elevation_service.exe
2064	elevation_service.exe
1880	maintenanceservice.exe
4936	msdtc.exe
4972	OSE.EXE
2228	PerceptionSimulationService.exe
4768	perfhost.exe
2660	locator.exe
32	SensorDataService.exe
548	snmptrap.exe
2528	spectrum.exe
4104	ssh-agent.exe
1872	TieringEngineService.exe
224	AgentService.exe
3868	vds.exe
5064	vssvc.exe
2116	wbengine.exe
2924	WmiApSrv.exe
620	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3ed0731cd590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009eb7356a99b9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019484a6b99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf06e6a99b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ef14f6a99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002688e86a99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4c8676a99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008890d46b99b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c17766a99b9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4c8676a99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000695e1f6b99b9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4600	fxssvc.exe
Token: SeRestorePrivilege	1872	TieringEngineService.exe
Token: SeManageVolumePrivilege	1872	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	224	AgentService.exe
Token: SeBackupPrivilege	5064	vssvc.exe
Token: SeRestorePrivilege	5064	vssvc.exe
Token: SeAuditPrivilege	5064	vssvc.exe
Token: SeBackupPrivilege	2116	wbengine.exe
Token: SeRestorePrivilege	2116	wbengine.exe
Token: SeSecurityPrivilege	2116	wbengine.exe
Token: 33	620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeDebugPrivilege	3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3484	2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2216	alg.exe
Token: SeDebugPrivilege	2216	alg.exe
Token: SeDebugPrivilege	2216	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 3504	620	SearchIndexer.exe	111
PID 620 wrote to memory of 3504	620	SearchIndexer.exe	111
PID 620 wrote to memory of 4912	620	SearchIndexer.exe	112
PID 620 wrote to memory of 4912	620	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_a78f8b566fcde9e686d6610f93054b67_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4856

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4936

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2660

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:32

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:548

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3504
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6968abd86570d2b055984d095f4e34d0

SHA1
c4aa25481bd45b905de3d8103d3beddf6b03c223

SHA256
8fd712d00f812d65182eae5befd6d5cffc13ba3edb73891962eda6446fc9f84d

SHA512
b2657e52f81285bb681eb6ad63b5c01a79f62a957c269b9982ec41bc572a6cc6b55bb6967d9aa9986cd5e5d3a83bdbb149306c047276b0f7227790bb8d3e4d6d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
138635cbc7c6900b4d58b70dcdc58a0e

SHA1
767f4eba3a2e34beac2e6f42e09b0276c38e0b56

SHA256
2e4ee4bc06a1cc23b1715283ef591f7d38c8e5a42dc2373cd01b24ee677ce298

SHA512
1ac033aa60feaa45440badb9d66ea27dc9a86c1bbba3b6a0e968bc78bb0f9a8fabd2372762c9c1fcfe32aa5e3962b9db768b4525f88be5a54e4783487ada7f7d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
913142a41b9401e6515db392224ad8d5

SHA1
bbd82157b0c4bd871b599b882a11356d27ca71af

SHA256
57ae46515db633660532034273d5917d7797f8dbd75f886f8478d9c3f6c170f7

SHA512
f8c6e910cc3e0659a6ad1abcd714c4ba20738e0410aef199dfe7f84252326a1ef6b2a63cf8a1f83e2c45aa4b311d4c2e3821ecc82446484ee49749cfce344af5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5ebe0886dec810d554f6f6689c44d4ce

SHA1
701ad39aa11125cfe20dc8748e19379b95e334b1

SHA256
49f817e9c582f69e4685d014332f36daedcfe00ce332db8adcd795d1fec0a0db

SHA512
2bb74980c72e2f70f884a3e4206ef68c6d33ecfaea0e6ceaaf50fc841a1d07f8e00f2b3a4c1785ff17d4f823134df95d6d0d0f9301fc6376a7d13caa4fde59cb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c6ad07b5d210f37cba8a0bb0814290fe

SHA1
f0f47546f16a3f05edc3b86e56c009d1d196dea2

SHA256
991ef11fe58a3a32e4e7ca46e90bc814c49c70d2418340523ab4e3c9fb1746c8

SHA512
52ca92b9f6c4a9e4746b448a43842628b3efe772856694243ccd3ed6131819941def0cfec733f545c7bf4ab963601228d5acf6beb3ff52745ff830a5e126ad61

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
651bbed88e76298983a8fb5cd27dc1e0

SHA1
cb9002d09d161c512d03e7f2ae35dcee4d753e1e

SHA256
c0a959c3c84bf9fd628fd654f45f6cd8aac587220b1efc5cbaca0cf933f13e9a

SHA512
661d9ea177865c61c44ac06c54d05cedf5acf2b119c124a6bb7046404b47afd0172a2503376aa36b172b70dc74c402dc2a1107228fede91493ca70444bd07213

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2b0793f5e561ca8ad15d5ef032dccb02

SHA1
13fd26002286e34346f640881d54edeed5af7179

SHA256
5b60eab55baf7b2b811bc3dfcd118b8601521d5bfb28886b095e32d3ddc9bf82

SHA512
b6bc8d79b423e4e4c0264ef1f9d8c03d87db8f28ac4718aab4daa67a8e97d98413ec2297c26385f58b30943464a02b3d92af8ba54ed19de51c1a652216935cb8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bc80975f66ab32f522f957edc2999894

SHA1
c2e2d1e64399b380ff4aef54fa0473d7961c63b3

SHA256
4bb051619fd4aa935fadf9202c4936bcf10c34177208ada480c00af992ad7a44

SHA512
1511e3e69a8f772e410b47f34022b7b2b93ad53401e5c8dfef289414d500d89735147747a6aa1ede239671b0d5bcc4629c551ce88393c0f6822db849430fc4af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6794bf158058714b947223c719c66c93

SHA1
ff82c483afab3b5347802a18025ea8ebb2c182ec

SHA256
fec1f17f475a1282f124f67342d8746254e60858ff371002b8a16b2e75d1bd89

SHA512
7dfd378c8db419bba9312fff4ec0750dd1730effe091da5459493de2b974d73521d5d39f4079857b89796ce503d1c3f7311b41ff8f4de48d88ffb438cd53f9ed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
215bd5c1d23200d50f15b2cd4ce7ead7

SHA1
a5029acff70fa2f65c82bd4a753a5f726816b8b8

SHA256
d1b03ea7718748294524d7cde0e965bf24224b9f2ebcbff98f507efefef9f2e7

SHA512
4b367c686032a3fe1de204976581054e706f6047a5f85a2a1b93e4a3e35d97ea4cecd7fdd7797c633269190d49d74430db934ed0ddda6663677c466b24fd092c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
190183c507f5ae4887682663f5043689

SHA1
3861d8458ff2f4aed972eb97f05aa0eb17c88bf4

SHA256
4983c2c933ce083ad43381f53f8eda0a61b21c58c857acb83e74b03894e4e301

SHA512
ea269aa7d524135b430f0528001894e2c8e32b769a21ce035c41c195329160faacca483cc12e875fa0307d0232b600e4b89142e9223381dcaf29922815e3f783

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
de40172bdfa1d85c414de5e1b07f9148

SHA1
4359e933f132b03ee1acc209233e3334113e0502

SHA256
016f00e69b36fd8079e5c1180ce17ea62e218ac479d19c0fb2af37da001ba867

SHA512
b62d5dade9ed7818f8ac57f2ed7302fb5f141b62d8e2c90ef704a08b92b6ae719d7ca3463cae1ab80505593e8bd457199e839cbe056552906eda78affa4ba7e6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3cf99f6e1d2b19e0d29655a7ad69b56e

SHA1
7c16d07271fe582b220d5dc2b167e94080ccea93

SHA256
4acd7de9a0101be7f0ba586615d4da6464208de8d9a04c200b2c883bad08dbbf

SHA512
97705583d0eb0646a192c53120463b7e48a283c59cfcdd74113f1a4b5c58f70891b54c845c408bd7bb8a856ca1a8f073d589e84d69caab0d7c4f4ef2dc8fc011

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
3f872225595047433ed332e96cc5e7a2

SHA1
3ec8825043c9a24e0308afc47a6bd3c0b442da03

SHA256
08b67bfa4109ca1cc04c1be6be6ddbc434a345ab91fef94060eb1691536acf1c

SHA512
e0ddc3b3a50a433f9ef66c76f9c7b2f4e8ef59a9a826f8a7b9d63284b0cb9e166faf3630ffd87ca34cdf7412065a31c98f06e3b27de36d3d069348ec9f8f35d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c1abe76d9dade783bdeb97d2371b0e8f

SHA1
ef147af4a931ef2df480c71a1f1a06b94834cf9e

SHA256
0791ba32c0f54374e8b7ea4eed28ef8dba1cfe94d6208abb5e67d22e391f1e2a

SHA512
2ee7b3e828fdf6f8b59b06f5f3b2ac5d2a5b4faf195af719ccae63f890aedde2ee3f85b00ef2ca9e9cd66e29a3d9f6f5ac3bad23f7e5c6da655f0dc84838bc48

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0c701e7135ad7ad9b37ce1cc4ec4ba60

SHA1
a66e2f119f022b72b1d7cd8a3186e7dff800d6c4

SHA256
b8fd96e4937f06a5581d48305045e22fc86e5dbf4804bc0b795c5686599881fc

SHA512
494e48f875691d11409092b45b237a971923a8e7f33a28afb9492aa3cd0c097cbea621ab040bc42c6a0ad8ab20735c1c9c37e4dcbbed83d040a482595b55e8a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fe364fbd6948bbd981a78d8ea74992f6

SHA1
14f0abdd943028d50a6c92bdbb4edc81a971f69e

SHA256
b9e7768d19f06ccc944148acc220b4826230a5708eeab73a9e2a6df6eac1daee

SHA512
ee2467531c61306407bcbf0696fe5924000dcdf408863db50d94dfb1bcfdd4feea8ff8bc05bd87b03db3b0458ef68f9cee242e38c9ab836da0f60c3838aad1ee

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8211320d4a825f04607eab9fd6f5b16b

SHA1
fb3afad82fd96f6169373c48de57301ebe9a826f

SHA256
13e01c6b97afbbdc7b5ecfae2b39167cb3b433026f3c1a48b737b69c4cda8dde

SHA512
aa9441cb22d459a3643e86d928e46dd6070fbb603ca78aae42b2cd86ac4fd9c61097d052182f28923610efa374193f203742e0f4c202f5776c3061d0f8b90beb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6fb25a495e36434b1c693a5a791fe63f

SHA1
3e655a1b8fda0f908c10da2b795b7ee3becdf0a8

SHA256
8158d181d6965e36f3f769a61cdb40b3c31ec097462aa05f44cde3637249a42a

SHA512
c759b64d9adcd02ade605f3a85562e71c9ef3265933238dc19688888aaa638e9376b71cd98c1513389d10b15d35a4593164fae389be5f6c4e0d4f18bc1b0a25b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c560ba7b7028fb2671028ba220186522

SHA1
f34daa89825a65fb13f4f8e89e05976ef4d9c1b9

SHA256
62009c76cd715c78410f456816488a3c8b937b0c792dcd1899c1fe260f1425f1

SHA512
aba1a655fdf43d22706720c0ef4bf3f29ed9c81680a7baa9310519fdbbfbc9acd3cb03db45fad7c328dc0388c4d20bbc7db165b26fc89281d64e2aa5a711c9a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7f503476e4201d040ef2e1a3dec75f74

SHA1
fe70308a16765afaf6fec4594e7c0d11cb079a41

SHA256
6ebb3aa3cb6b59b735efa702872aab491c0dc79c43cfd57084937961f2e54aab

SHA512
90dbe727ac44d28466d6d21f50984abd7035aab1b75b45966c4ceafd4c3b31d4322c47f4d2d5d3a8e2ea291c2bbce772440038a35597fba171fb48553530cfbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
59f6213232537811b6df33b5bad454ab

SHA1
82592b59b48c3c233ea9ad0c5b2f434d361aeb4f

SHA256
d125332725c0c278f98a5e94f1ade72847554ec3b77dfb103cd37dec74fbaf71

SHA512
82ba561ec4c6f0687f6b3c99bc48836dad2d15f2e9340300abf559493a564511ab37fc892d523ee55b14482deaf5aa15a2edda0cb828184f5b4305d2fbea1ecd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
756469c90338e11c679b90efb0a32c29

SHA1
84769edc7427da323913d60ebab2dad9c338e64d

SHA256
59d7f9baa6d54f21c5a2bf0bff9c26ce4b6b8b95c5ad098c4cd048b9eda0c066

SHA512
7d185087e386d33c21a92e98951012f1ccebf8a7296635729c1f7f09799897e4a6cc51d76363ba9ad1dc30a9a2d0bc1495983d6929f0f8a4d58c936e7f954a29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
6a3b6ae7492b0559bccf8c9ddbe32cbc

SHA1
efa9367a61560802b60f16fe66e804b650321c35

SHA256
50712b5fa197ca9ec98df9afd1473624090c70dafdf95b3e228976495c0811f7

SHA512
3dd128d891876b2265be96aa2df63d8e2c14b53c754f41aaceab31380c26e88e6dc7b61f2af9822e371d0243a10a4fb9b59f4c5bf5c9ac530ee2a5394aa05f7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
1edb321d4edf71ee8c71287e957d0d28

SHA1
4b37a01ef5695dd38f4b1dfa4b8527d2495fd72f

SHA256
cd5c87a3d5f899a36282679925a13ed1e97fdf813bfe7b8a4c05149d7837f216

SHA512
c257e18184397414ccd562cdffe39094dfced6d6ab039f301541a02f9e07a9e5208c5e58b4b6ca66b68973adee3d22743f00db90765f163f73f0605f00c3952b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e7fb052c494aca2f20461cf1036de777

SHA1
6ff25986dc60d0987b0fc55d3eac6548f0ab349f

SHA256
ce3514bda35ced9ce86a452bd3a844f2d9cf427caad3ff277ceae6c43053cc77

SHA512
fde486b2da958c7798cb32d0713893ef1835ffc113f809e36b394b5fb176704052779fcdba2265bac85975ef7ea8527745bcc5c4d289d69621fc1b8183dcfaa4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
0e5350099f8fbf12eb8df73746219123

SHA1
d25d3081e7fa8101eef4b4435b6d0c483e89b0e4

SHA256
2ab0b79d741b327191b3e17196425fb3f53cb83a509298a2c9592d585e1a7246

SHA512
3fb59ce8f671692e7929c51acbe3603ad81d1fe1759195e6fa3dcf11795e8e3c2e8eeb09e4ccecf5100133f070321588e8513d7669104e520518386f2c1c96a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
17eb8f9c4a20a3e4275b0ccc61ac7b8f

SHA1
82004039517734f6b231dbc9dc81ee9666e5ab05

SHA256
e6384bc59630f8906149c5431a0bd095f43363fefef6b3503bcf0f78e58de023

SHA512
2855f659c226d97444ac3e98a12b0d8fd6f47a0993bca0e8cff9a22eccec6635f293a9da09a14e366e2688ff866869163b66ce4f5938da1d570e2448f5b91aac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
89e3628445a91af5e8ff1bd203f6e710

SHA1
5fccefbf9249b89442a8ca4cef349c687a38f5e2

SHA256
cdf2f28ceb59ec82383ec84c78544091f54bb026365ca3cafb59e7af29b41ec7

SHA512
ad24dc407036d35c513f0b6dd4d6ce7b8ecb85037635cbe26e39e7d9385265c0ce0764b07982c2683356cd39107a25774cc9917d29aebf26b4c473a8322c88b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b2527c67939d34002b25b1e37b7f0b2f

SHA1
022a314b432ab1774b9b8f3c38547ad250ae9155

SHA256
97c2bbf4531138fbae04c4e4d269eee83ac00f2e694dd3518f6f04ce81ac92f5

SHA512
3019061d784aa258ff9ecb3d7ef3b2840ca33183e1fd9e5e7507fa26c0aad2116cdd045dfe27372a9216b130a7d2775820b57674294474464b87508409b88046

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
840baa55d17bc6f89a64ae41ed038fa5

SHA1
0269262ef576c4bff867058a485b95a1d2d8d6f4

SHA256
e1d9a4bc55944838ac116838b0c7565cf0151974f8cf32ce8c1af0a4e11090d5

SHA512
b96b157524618d4fa8c3e4fa14116f4861ad6d1f94e5d6ae23491c00374cfa05672ce529f5d036a02ad847a81e32d798d4d9c42ff918ad58edc5896cfa275fc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
91761449b8528071866940ff25cd4b01

SHA1
40b36a626cd20d3d0a6de5ba875e4a12cec09335

SHA256
12752975f02e879dba06a59a50c69954d181fdeaed96478b43055e3ea07253a8

SHA512
b9841a06eaa671cf796d1227dd363ead8c02da405d5c0eba854641693a65ba596bfa12a482611342169b28b76a772a398320dc99dcbf502a5a8c0261c0a1fee7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
07b18d453bad8bfa0415f7b5929ebcc5

SHA1
46b22367322716cb84c942cc08c1cc93861914f1

SHA256
d0d6962c36d046b6f6e4a749848cf1b7d25ebaa1bdc5b2f21f08230e11ff69f8

SHA512
2823224f0ff237e2f375a6d33af23f1af7d96be5deb53ce60ab9564de0a568229cf557509a4b58a0a7f543b6a3483d8dfdd97c8a0a898d9f193604a2cd20d75a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
8d1a15622e49434798f611cad0dce404

SHA1
2cc3fa6f17b59efc9336f9c97dac48d6f834d5e1

SHA256
7def1722a7a113342743cf9db4811edce554618e0072b380ca8b700484b94419

SHA512
ed1386923d0f0dfeac0bede21cfee3e67b2ebf4ff46966fd3006c232e49e9beb827527484122467e80c3d683ed35aa5dae8b5d30c1736f7a0c96676581dfe99e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d8ee62eae4efc86ae5f39e908b8ae63c

SHA1
f2296d88c4d2a3a8763427088d988344cd6d6021

SHA256
de0edd6bbc27014d7b36c02d13302f3ffd696da2e45916034d7e95e43078c0fc

SHA512
e29d691ef13d4d9808d2837afc77935b1947118c1c6ec70f296390d8c47b0a17cffa9e67e09f34d4cdfaaab7ab77a190b6f7c45e94058ebf7c548161679a4752

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6c23fece7819a7eb34b86362e523cf8c

SHA1
e138445f33e4f5efdf6b0300ab21e327f76ff428

SHA256
9872b06d3685812badf5e8dd36b278fe33d47a1e3d3cd083f94d9f75d8cd493a

SHA512
2715667abdedf03dd7a9d6b5210d3016feaf2e95b0566e165ca3e472a4621939930bfa572d36c2755d1a394f525e0f5ca9e785b94131afe6b0a062838e47b6ef

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d7734290796815631da376cb62136719

SHA1
20202ffe50602b526396790f5a667a82c87940ea

SHA256
ae368f260ae4a40eca2b88d5051a63e8f7bb0e054c275953f336c1a55b014a2c

SHA512
3b2afdfe23ad2a12d24516d82ca0ad56e6f5b69e040334b6ff23886f76d41b35294138424ef4f40bd9d45fa82951f93893004760c2d804d1abd79f74233b9d50

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
b8728a1027fdd7e7e251deaaa7f4c931

SHA1
8ae45680fd49ee4e23c373d0aaf44b71bcf65203

SHA256
9993af78f2616a22b1f54aeba66ccdd5aa34d9d2af2a43b087f0aeecef970ad9

SHA512
f19074c912b49452c69cab8ab0ad522297a31e2eeee3fb734abcb1219de9f1b5d5645a501678fe97e39e569de5909e4543f9d63d6e9c18a493865d6cf7bf9b9a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
17bf24ebe2d50c0283838d723d8ce411

SHA1
8d35a6df6d70bb34b7bd0dcba3ca9d7a3c6ec3bd

SHA256
772d5530cd5d2dc3e3986710e9556b80f6a43592f867ce8f644795e64af848b2

SHA512
2ba4d3db18d6c6745a3fe07d72d79741acd79e02c0e6b5151a89a85af2921f2b841d789490294a28b2a02173f8e4cc1f8281259a1660322eb4e996a88781ff31

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
584f32f0f27b4e8b4bb7f062f027f544

SHA1
2170778b14156fa601616ca07404906f8f803d84

SHA256
e546c3c52a97014eeb328dc156b3b181e02099aad29f33758362e2fe157a045a

SHA512
5cbd0ba7f225fbdb7bf440c9c42e78d53a11e75b8af15900e862da8a332eb5483a1a51b56ceb0fe72172ece83b4150b0b556ed652cea2a7bdb29aff8e6d5c4ba

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
68f189d280ac21b5a1149570a0f71546

SHA1
8f5c41dd740b06c3fb87106998de78ed1be88dee

SHA256
3559b732eda249d7949d8fdef1eba3f5ecb37d0bb06a4c481cae5287969f0940

SHA512
dfc01945bc2d646ad712260a3fb5338c397d3153b787c61af3eed620a12d210a7b999c388353974312bfd4216dc4ade175269cccc62efbd4cd3b1b96dd664e40

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
40073a1b0d3d19687ddda3ea8aed34ca

SHA1
de9fad59159b6176970b2e5b3c6bccb16e40e93c

SHA256
cb3e52083a253ea74b11f055909e18dc209382b0dd4e436c23a6e14b46f00148

SHA512
8325a456a6671b6bf05e3e31f91a4e4d4ce072ed03c54a368ba5bbf8f7f57f8417f0c191fefb845a18dbaa2135ba051234871ebc6f803adc125b40f8d1bc94c8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5144468fb3e0797a18add5ecea4e81d8

SHA1
c1aa8c4b9d8a7cf208303c747fa29f689b264234

SHA256
a392ebcb20f4e8f7bdcc2ba385b8f8cc26f713f0f89c7ae7181048eec293eb48

SHA512
2106dca78bef5579d035a71807bf88d996b7c08fbea7d565b6288b4d2834bc9d68ec685596f40d33db78411f7e102a7c44185dab3d10f3739880c81f10d9d248

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
6ad93eebb2d26212d4504d247ee5a720

SHA1
16fa65de13d95ca423674a965b96a96d5f4a87fe

SHA256
2269899ee361f0cc2e154942decb555830807a4645a093a79e249b3eed2396f4

SHA512
2772859e7697f55dc108e369e78a20e0ce6e5b8780547d41980fad8bafe923806840e631a59e8cdfd15ed7f712f98f0523f40ad686d0beff91fc164e779db7cd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a9f3f2c0c7ad18ca89f9a620e3923972

SHA1
894925bb6ea7906a77b223ccc09da722095d758d

SHA256
de919751854e9fb2ce637b546fca757e9e6729ddb2b8055b1a98075e2a580ac7

SHA512
2f7c46cb59231e62e58dda0f68fa3cb223f8efc90378a38df6420bff99829685ea493afac8fee094a902bd31f47a84646f2e4383b896a922d4bc84b9b120d646

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c71e9014dc1ab16d1873ee3111a9b889

SHA1
eb39e0e10512b1332f418f2287903fc045a09e25

SHA256
7f182b903b034afc92adc65fcec3c916256bc132fd689d3dba2d94a4c2993d7c

SHA512
590fc31b97e044fbc78167399817df061e721e23df1ae3390a3063afe1db83edb0c1d2315d1398e6202660d0aea0740951a3fcb1d2badf6dabf44a302d9033e9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9c3b4dd2d1ae790326f5a953952db17a

SHA1
a71f242433eada8f1c3cd73d0ff5e1d5897422cd

SHA256
1fe67d3497c5f7537ba7ab8c19862984f459bac259af5363f9108189452a2621

SHA512
810c8bf8ebf7bbcca8eb42ebbe90d20bdd8404cd0c24d4d20ac1d94e9a412de151fe7328a1e2c2c72d62d68572ac3896d8d7e467810932bc590b419b15a35d0d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ebaafaad517799a91df210f3a36873a8

SHA1
3fc7a3eb3774c311ee5cd3a3bcdd70e7c15ef950

SHA256
cf1ba25a4c0fd177ad6bc943cb7af0a8439135b782e55a46c3606540ca4cd451

SHA512
4dc096f744e1d6a7a51a6880cbceffbf4c3baa942b0dec262981788ef38e6891da04e075ceeede1c0d632dfe13056ff2116cb81d144ee652ecb573744e31985f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
872a90e3fe50e0195985d9afaf517e0c

SHA1
768443a2245c1c9ebd0868b431aedb7a1e55f136

SHA256
08900230c7ef5f3421d728651a205e775c7399ddc012c3505e2b1fe280bb0f3a

SHA512
185f94cb0eb0bf610862e9b5e79a56eaed84df7f7213159715e50e533188d022c7f11ebba0a8ebfa162ae7e1af51f0501a1cfa7bd4fe143fa89608e699dd6d23

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
439ae32a9a2bdc31be9cf1c5592517e0

SHA1
85241f37ecaad18384237f0b5c2af3db6fb517a0

SHA256
f49cf88b9abe666cca0423de985fe2ccfd69837672fde618881afc70d1bf4d4b

SHA512
212952126740b88a1e61e711fa5b5f2942cd483da0189db5110acee6d6678e0591f3769f28f1588a68d470c05c471f8c018e283fab56fd9ded594332f25e4fae

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
fe312b10a2429773a9b9c339d270bc0e

SHA1
40cbdc662efc28aa700911428f441e88065fb794

SHA256
3fea02c80a3bca8b71e61838ea95e1383703132f69ab2c71ef568544cd3f4dfd

SHA512
bc1398909489d740076c557a57b8279491ea9968b2f03559927eaf04bd3277ae9ecf6efbe37ef17772ff54153380a09bc23bd80f8da588f8d0bfecc5d5ba6b8d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
11287c0027a26f483c79b388c78ad20a

SHA1
1471b767ad8bebc604e369b7fdc729d5c1781b0e

SHA256
2ededd252616455262e0c40ade90795c76f65b592a5fddfab08d5bd85e7397ac

SHA512
d188b5e074fec6a08cffad6fb10848fcbb58936689044c1d30b3cd98e3d31e44a62a8a5318beb112591a36d941c423cf1bf6cc838893acc0a0f3d962498fd537

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a455b0cb8c69dcc14fda4aba1f0c7bdb

SHA1
68a53c5755b53b72ee6c1ef60737b9da27fd88cc

SHA256
89b8480536ebbbbd896fc9ac3071c62374fe0b654f06544a30ccdd38f86c807c

SHA512
243ce8a6d607bb08b2c7966895629178b1d134c2e8b90e17cbf03a256ea9c8f43f790d0da80eb5f8433d00c57d6439552cf476365f1c5a9baab67c8fbbf284d4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8cac02a37ca8c86d2e79a277c1bc9fda

SHA1
8e5b73daca7959ecfc430a28f339561cdbe478b0

SHA256
fcbd47052e4cb2d5326c6d277644b2e4db1ad00bf4eff5d37380f3914f254b89

SHA512
4a25e19f422364e7cd70580825db08fe9731a9fdb6ab4df65955ecd0bdac6d01c48933bd54ec34c2613b28c252cd682f1d9929c37969c2d64fe843c6a14b7d51

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
475196d3f6a0933f94b5854970ce7d0e

SHA1
357ab610fa36396f19edfdf49fbae541c4d00118

SHA256
bbe8c1337937fcc8f8fa33519b7c2b46ee2a68c21f34074ad6f96f675c739937

SHA512
e6c68bb37e821751437c77f0a63da9fad0752a4886cac1f15afded387586cde2a70810339a560f47c28422661b55f58c40e38da3ae5f0a3bc657c7e7b55a1e84

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7430e40800d33ca3cf4ce9405ed29506

SHA1
5679c149774da8ea88fc32f7fe84c05e4472eb7d

SHA256
7ca6322490759833aa8e33a5643f1d35285c3c3684f2fd772f3f6c3cd85bb793

SHA512
d880d09a5fccfaad0b3be7eb5b800891b23fefb0bd038f9c09f24ef11c432196f7e3ee156e9175763c8decfddd55a13c025ddd3f3dc13101af7e03159b945369

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
a492bc6a104f8c4e066fe0fc47c54329

SHA1
008fd2286ec03ca51bf187b569abd444ab6f312f

SHA256
d622379a1694c8f75c05fbd48a8294d7617cc487ac18f6b2dbcb0f4660a2510e

SHA512
ecd1800e4b1c761a8d3200a7c3740afc9827627df2480a472f67e272cbde763d0dc092aa9368c718e0c06fccd7b54cdecd85d41f551fa89d3385cbd82526b805

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
84f6b34c48203f64a19d3c9c37987e54

SHA1
69ccf48b03b9b79e0f1ac059bdf645f516c877b2

SHA256
fc2cd28ccfe65d5ccfa0e031a422b19c7760feca5c8f2aea8cb1d204107edb38

SHA512
13ebc783ca1d62678c5e3e3898a0a9aeb32a235a3e9fe7414ce7e86b5a15ad2bd05b3609524437ac7503c0b319d4874986638bf28e80b2a46c873b171c4da20e

Download Submit
memory/32-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/32-277-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/32-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/224-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/224-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/548-440-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/548-167-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/620-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/620-554-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1872-203-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1872-547-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1880-82-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1880-78-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1880-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1880-80-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1880-72-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2064-191-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2064-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2064-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2064-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2116-552-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2116-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2216-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2216-17-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2216-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2216-113-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2228-114-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2228-241-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2528-537-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2528-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2660-136-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2660-263-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2924-553-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2924-266-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3484-5-0x00000000024F0000-0x0000000002557000-memory.dmp

Filesize
412KB

Download
memory/3484-70-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3484-0-0x00000000024F0000-0x0000000002557000-memory.dmp

Filesize
412KB

Download
memory/3484-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3868-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3868-548-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4104-543-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4104-192-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4520-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4520-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4520-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4520-49-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4600-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-36-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4600-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4600-44-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4600-42-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4744-125-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4744-32-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4744-30-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4744-24-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4768-133-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4768-245-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4936-89-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4936-87-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4936-206-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4972-110-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4972-221-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5064-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5064-549-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download