bf468b7bfb284579a81cdcc85e8e9b22c08671637277fe15ef2e4dbf44ab411d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
Size

24.3MB
MD5

533245c28c56c595ccf71478ab345ac9
SHA1

145df8475d03e1de99c84be9f75ea6fe8866c725
SHA256

bf468b7bfb284579a81cdcc85e8e9b22c08671637277fe15ef2e4dbf44ab411d
SHA512

3d91266f42c69401b87bb4770f3ea95d762986f6dbfea5f918a0269e4a300f2e942d637cd9ebdb51cf2f4e7ad23fdce2dfe1ead4fc8b4f9893244d642ab3648f
SSDEEP

196608:aP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpqH2SAmGcWqnlv018KUoiPBx:aPboGX8a/jWWu3cx2D/cWcls1n

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3340	alg.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
548	fxssvc.exe
2572	elevation_service.exe
2252	elevation_service.exe
1608	maintenanceservice.exe
3848	msdtc.exe
3588	OSE.EXE
3760	PerceptionSimulationService.exe
4052	perfhost.exe
4368	locator.exe
4904	SensorDataService.exe
3832	snmptrap.exe
3408	spectrum.exe
4856	ssh-agent.exe
1580	TieringEngineService.exe
4620	AgentService.exe
4384	vds.exe
4296	vssvc.exe
1764	wbengine.exe
3916	WmiApSrv.exe
60	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6b19a958293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013dda0a73ac3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e7077a83ac3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdf0eea53ac3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb2a09a63ac3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff8787a63ac3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b219d7a53ac3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e53efda53ac3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a98db1a73ac3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a93a00a83ac3da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe
1168	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	548	fxssvc.exe
Token: SeRestorePrivilege	1580	TieringEngineService.exe
Token: SeManageVolumePrivilege	1580	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4620	AgentService.exe
Token: SeBackupPrivilege	4296	vssvc.exe
Token: SeRestorePrivilege	4296	vssvc.exe
Token: SeAuditPrivilege	4296	vssvc.exe
Token: SeBackupPrivilege	1764	wbengine.exe
Token: SeRestorePrivilege	1764	wbengine.exe
Token: SeSecurityPrivilege	1764	wbengine.exe
Token: 33	60	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	60	SearchIndexer.exe
Token: SeDebugPrivilege	3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3712	2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1168	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 4208	60	SearchIndexer.exe	112
PID 60 wrote to memory of 4208	60	SearchIndexer.exe	112
PID 60 wrote to memory of 3620	60	SearchIndexer.exe	113
PID 60 wrote to memory of 3620	60	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_533245c28c56c595ccf71478ab345ac9_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2068

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2252

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3848

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3408

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4208
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ef64a04dc97b9a6070134895bf2ef30b

SHA1
d7f7a2d3bc0f82a800234fc2b9a53fa17f92a049

SHA256
a4075a6dd3c2eccb2b526983a4618c858eb278cb4bca5ca81c3545eba3b6f771

SHA512
d70634a771d574dee17264775c8d4deac5c6692282830ab8a5192969c52dcb703812f6d7185f190b50cb125fa36a6b90e89bcc9c270d4664945a5d75f4532c88

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b3c27d1cab900605edb1c66834a3aae4

SHA1
6ff407fbe367b6717583501190b110d7532f085e

SHA256
ef0dab01f41f763bbe6695a1244a5dd0b2e414ee44780c918b88e065bdb51cbf

SHA512
15e1293acd00989fa66931e759ddd1c266f01eaa8c83e6916051aa42fd5f19e035976773b60a65e979a947e14124661338946d1b7ffbb3a1bc2223aec0dfefe0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
71064ca4410fd6016685ad459bb02d91

SHA1
0dbdbe9460a59a5e8a4f070b677fee84c6c4fcf4

SHA256
b5201d97ce734d052a386d6f81a4eb25cf1fadf506bc338b830125883be8427e

SHA512
1418e024da7af9cb11252ae29322d56acb99eb18c80fd38f94da909674be14e161e79e44a060fd78ad11bcb0f6b7bd7f4ed634fb845ab7852b1a863a404370dd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2813dafdae4140af1a38236465381058

SHA1
7e69ca6d0fab55211e8458bccfb303ddeb0c10ce

SHA256
020358b71e6dfd6b935363aa69b9d4437d0722f0ef46e1c2bf1974e644c0de6f

SHA512
40cb06820aecb337bbc2327f7abc87810100e7f2c2030459de96896dedd99c819661b2f4c7d8b4a6e12652b96d3f13dbe1b200df4f237caf6bb3b79b9dbd3c54

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7485344e687ce7b077b026e2c6379cf9

SHA1
b7f22ffdb7aad38ecd5390f16b9a9bcaea90e439

SHA256
36d7842cd5d15621ded905c4903f3a44b0105ed1059dd8edfb93b2e8dab171db

SHA512
6727a168917d60fffaac8184d133db34bb3ac33189671a96e1fb35fe3757a7229e49eeedc84a16c41300270c151f972fa234dd78c94b862b0f18b2f74a7d4b7c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c3f38b94ce7f0653c5c3a1d7435fc82a

SHA1
483c183627894d7abfd740142056816caeea5e00

SHA256
4f8e695765fdd9f29542efc79aa5f470a7ca8ea1f4980e3d6ab8a6b3020b2470

SHA512
f9cfec76a5d155a1640518c659992304524d9f4650de2035330927491d27fc0037f617a4dbc8b9d3a38549adbf5928d1d4218b2c7767e79b13efc6cde1abbba4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e5692c44fc45bf1d0955da3dd571d7d7

SHA1
28f0dd780e63e637faeb9b6089bd548172185c67

SHA256
088547238ee11c5ec5d6e22e4d2619e43c8d3fb2c9f763ebd512b8405d18e6c9

SHA512
468f7b43c146b51fa1f8f323c4bb40ae79aab3e7e2818bf7dd36beff42ee7ce892e28aa00529f2a639bdcb28106afb2e6dc023dfc02e397ab241f93adb4c3b3c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3e7397089bf556f3d80e2debf08b7162

SHA1
7892a11f4945cdbd7256e591905769b17853ab6f

SHA256
5c0ddc45dea675274d43504d76427e357cc66096b451b1b347e19ff096000fc5

SHA512
0bc2ffdd39305f18f60a3a73e02602bb3d26f1078aecf10484d79b88b61a54793437e0a84aae8ce75ea79321878611b88466a2ea3e7c4c118995fcf0f6770446

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
d329e675838dab1c44e83f7d8ea7319d

SHA1
95c6173604a80397ed070637e63e969ac2026391

SHA256
6ea01727adfe3ef3970ce7782550f4111c54f8cf522b57e951b0bebc198c4822

SHA512
a75984a6e8c35820282bff49ddb7d04306e3d2b400333a30bf59f824fa1a4e04995c41df6790b0b7e22d6820ee49763cfd04f851ddc79f7abcc26c6cc9d47235

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
226a628c5f6e71dc62a5ab2cb2b86664

SHA1
9de58d0b46c3617ca9fa42cd96806a9e64c26487

SHA256
7db34cb8a07a4bbe824f833f710edc27c6d83f8299c3c5c0f1c7e89f25138f2f

SHA512
14eb227b40c348c60c138ffc6683b85ee8a3f5aec9ef39a07ac1c261993b3a496b9257454d789786663bb5f938f929c5b11b83b0e8a4606a2d5159c1752b7501

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8ac8b8a34f654e6c0e99a32f28503b27

SHA1
23ccfb599e8f22ac63f433be4ae2138e2fe391d1

SHA256
7cb38ffc7227e654b1a27224f7b63eb72a131d0caf0501e9508f9aeb7f76a1f4

SHA512
a7446000682bba72f30c7ff8f4795490b7370e14aff623d1d78dd62c6f73262748b7d9dbb2eee22f85813db0b677cffe9fab1c0ed907d9285a1de19a0837a320

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
10e4c3bc5c28b0a153206d6eab65fa01

SHA1
2af21b02094c6abae52b0050fe9e389028529d3c

SHA256
a3828da807eb5e52e0ef55fcd6ef1ae47e2c0d0178292d1184e746072c2983cb

SHA512
30d2633664a23f37428766f645d0654d1667115096724b1a65de20196dddb7f23824a06eaf362d4660da23b46744ca4d316eee91ab3da26cedaa8ab179bee61a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
44616be500a68ab68a512a2d26880190

SHA1
dbc97943609de6b9151cc923ca24602fc507ed20

SHA256
13c59d95c185c43821874a635060c88114f67a6053a7ea2ccb40b6d90b7e35a2

SHA512
a89b57a8baaee0690f910d05a06462bf5a609cf368817c699b3cb572f6f663f457a6d06b009eb403bfe97fa53bc1f13d3f8ead8e388f15070e7ab5da21cd1b26

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1d1b64a3d2c951411eed7f5d2d4d651e

SHA1
47abae6eff34a957dae7ceb92d7c00678028aafc

SHA256
427d1cee48ad5384e18f5796db8eeb69669a118035c2317c51cd6ce34e3b277b

SHA512
17a4e928f87655dcad6e9b539fc2d4268694dad616a342eda65c111f922af4ca676a7b086fcaffd7b151bf4b26c18e18f8262ea4f48e2c7eb90e5dd7fbba520b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4206df5141a4b3cbe3d89960688ae5bb

SHA1
2ac47bf9ad9ee076eeb4eb73cf420aa49f22bcea

SHA256
94a4f263495c5d1f83c2923cf961c8e113da5f07f52c67d479092b739e096922

SHA512
8614b371cddc97328d219ecc10ae7a6de1f8e2e55e261f453295d96a158fca92d6f815abfd11869fb33be6a86861015a4dc5e8572923f3fecd00ca55eb8c4938

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
43fac62b7e3e55242d4a8416c640842d

SHA1
dfd86ac2a33060ceba8bddebe64776e7c7ddf167

SHA256
4944ab9812e9f3f1b9ba0714da48e32d846acc9b937b9cfd6feb93acae6ace7e

SHA512
4fa16984b3e7988bf6fce6b75b3316b0d1892d8ab74e978105aad53cc9a2c7bdac6b2bc184e29213adeac1c6d309b7f8315068d7fd9c8763551658d25869489a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9950d4862b1690132df66d2ea4df74d1

SHA1
e93ddef633d07eab993a6670042005c051a9ec23

SHA256
cacd8e25ba7d3d11cf37e9c0ba8efca9113c2fd7bf68133d7a20a726377e5f5c

SHA512
0231208d55142e4c8d1148e76720689abc57e20a73758391425de6be89962f8b96bfc5376f8dda03700514d7d03bc84f396cd8cb5d4ef25f19319e8557822bb3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
60145455bbf488f63d90c5deffaa5f06

SHA1
5373641a96c7dd87497937beac731a17b135aee6

SHA256
4ea19035b1d3c11bbaba4c7259fc8069830efd4cf96b529470d0d75d07dc5ad0

SHA512
e32568a508a5ddb4f8b48d37908414fc0890a5ee80aca98724ff97f3e5ade74364321a08cb652bb424011bfaccb1fd7bbfd06ffa9678af2fe153ad03fadae1cb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a579e4e1bf4993b9266d5e25be7ebad9

SHA1
837af2f1de556d827ecdc2a3e2c0ce8972462f8a

SHA256
b7bacd5ab20df51200f3ac03937d21474ef7cc7d906eb1a3c733eca38c48b630

SHA512
13736c077f1975a34f8ae16cac287cbc5289bf4a1c2363d87cb6bca9e81ff8b9809c20f27afa5565435bef140afeb7c8d680f8bf062069f18186cd1347ad7062

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
82bfa956c7a6c2d73c72ca2e85c3321c

SHA1
03eb706eb0506fe2fdf1eb3abd49e68fa75e269c

SHA256
f9a15e722459a47d0c93828cb81df65ca11815b1f466a76fb96c4521857e820f

SHA512
b64657974fa74b84faafd4ef95b02c6d68f284d86aa71f4347015075c67949f3a7dc66f2536dcd540a1f20e7bd3bf85466903bf3e7b51a48212d79e399f41c67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a274a3d22ebc66d2af695a507e11d71c

SHA1
5a926d1fbc6e06b1124eaa9c5979c246e7bc334f

SHA256
a4c0b0191cdeb8eb69905123d85314f6410fb46bec5ad417417f1c30aa789b7d

SHA512
8f2c2be9efca5b10ff66539e5f9b185266ce5de3211dfdb426bf9ecfe7801b036459d1d68a89f1003085a560b27732c91409b5971f627dae431099b08fa4d8bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d41713b80ed6d53cb3b670f28f56edeb

SHA1
e3b2cbaeb43a9ff706ff77ec79a9af725fac026d

SHA256
4bbc1a53fe8907a7c18092d2b50a281c0f68688c98f91387cc461865188397fd

SHA512
06d9d73277bb1abab2e822c7d0773bec2dbb5be7d7b184d4b5225cb41a38a85d953815a18637fa68b03236511d9ede00e76173d4f5946fcd31ee35efc4713317

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
42a88f6879ea121129a3a4cb01394989

SHA1
18be5a7c54651c435b4f69cd564520cc50c8937a

SHA256
5e818a691c3a5884ac41549f6018bc95d59caf0072e732cc2647b15b3755bcc3

SHA512
4751a65320a4e389518c9a25c9bde86404b9cf7c575f424b75ffd9b2696c5fc3629f54d7f82d79d639717e94344455046c030429bb7b4b2f0f5f75339040492f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b1c3181e2ce1a72b3ab7c5449c1d8330

SHA1
4892ac8e66970f279f12e0634a78638f4e246203

SHA256
ee1a0004996e14e488346aae038089a2a7beb9e6f2fbdad68f0d426b8f2cb9db

SHA512
7f3be246391a0f33de4992971c995abe3add56830ec77a26161021f81a007fadc43b996a4685a5c07b7c4e682599d9d29695374b2f9321a2ca79764cf36ddb18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
66584983dc47f587511b090c7343c3c1

SHA1
6d119e0e1bf1088a7f5a3b081107e9eef2e36f1d

SHA256
e37cb30faad2de25c2897e5bf7858783ae1bae3470b4c6c2f1e518875802fb2e

SHA512
b9820793febd1041e68b54b78568e5c26a21598344863fb44a7a3898bd97ab15fc7651b1d401ed5141737e51755dd17ab0b980de7ae510f4e483e0986a91cfff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
49a20c3f76d5aa0ee16da89d9eaa7c36

SHA1
342228b152cc1f2ba457843b3b9786dc69435620

SHA256
e41e0f458ee49f1096c9f134461d518f56525a2d4fa67c8f30d3b36608c94ffe

SHA512
51a48cd42e397e08eea4a310615515950573d4505eeda3511db20e8cb188b0822044f43574018e33700a9eabafeae97f3a7de9a7aef78a97b4d121f94027bb56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
068fd2e3eec4094a97bb005db342da16

SHA1
db687d304232a45603acf2e2b69dc6dad7422c67

SHA256
af048f4787b8fab38eef7c1b795583e980e9f917967211c3f250d14246a438b0

SHA512
c3c37f03178bffc9ca214eaa335b049acdbd99f308202a2c3d7191b1c4342028ccf0f814da0e9434321b17fd5bc015d2df7ff5968bb8bf303f4620645ea2f356

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
896f7bd7988a0805494d5e2c8eef6550

SHA1
99a7288dd04a6e4c90d499efa8ae8d3f53878985

SHA256
105d215f7d12024f69ffca56e0d71be4ab3ee54ceb058826a87e314b458b6e71

SHA512
4f43649b0a4facfd97d9d90fec6a2891d7f268c784f0db887d3bcfa5b7c6988f5f4c8134283ad17bbc82ce60186fb85bc2e8132d887abeac05ba8a95d0f4b28c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e73fb7cce220bc0ff203145d3065645d

SHA1
20e7c1a2a4d94f988a406d97e058dc98d2330ef4

SHA256
1152f4ed24edf9fc8bdfc85dc6293c7dced6db615f2c59b0ae0a75bf35dab130

SHA512
387855bb9098c387df2246a9bfa60c73c82a3c8c153ca4fcb351c8c09ebacbdbdb13608a837e6b5f9ed064afe2cfc701469fdc011ed8290e0237c11d8f62428d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b8591906fa380c0c387c8368a2fef7e2

SHA1
c46c7863f0e86378ed83b9796d013e6973192244

SHA256
8861dc0224347b60c58285e7e6d1f6d4df49169b62147cfb5dd0bff428b31bd1

SHA512
8c4a299948acbcf2fb2f42a743d6cebc8d56ef95a70a2b98bb61d7885e98fbf28d8488626628ef0a84464f4fa668f559714a6d2dff8808131365d0a6a3c4845d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1b7070988375ff7f1d7bde5b8d2da0a8

SHA1
ef91d22e46f2962b6553a7d2742f3a245b90f2b3

SHA256
9bc8db98b63128fb1ba8914504d361450e3f02393b6cb5414a9e20f4c7935414

SHA512
f71245e8deff744200eb6a40f448cdc7ce4efe62ef2f50f68af516b25cd5cc4d1161d34b64dec374580a76a47ddea0356c423ebf8f34e84049f24826e82fe498

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b0546b2d39aaffe24805ea00ce361ed5

SHA1
4541a107f9e1b34ba3957cb4aa01e6ac5ee2e895

SHA256
b1ddc45db7c415bf0427ddf3abb448a9214f0ef38b20936835316aa4e9c82555

SHA512
00b4544b2b3a9904b8894e7025a02e4e6b9b905562e86d4c1d27d519a3908f35a77d4d97f75908095e977758202b8641aeb17273a8f4b3f498ef293312ffb4fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
60226415dcc38d4fdef9766414b3591c

SHA1
0ec5c916e9400aafe530fec4cb30babdc4bb7ad6

SHA256
413c52a734b7467ea186f712c30ea284202efa19e7d1b6814c209fc6d135c545

SHA512
e4b739296d468427ddc0c838e2123801d7834314e82d53231084a605b71b13b54a6a2f008226680b01a8cf1b79cb302a94589b4de45386d34262abddf534810f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
dfb9591dde74ac0c16388012308dc3f6

SHA1
016c55e83bb546ebdda4735c015284e448be0108

SHA256
7eb1860b8371b1202574419c8f02c9ae2eaaab10dfb899f2b5f557d48cc0fe8e

SHA512
01188065cc2fb7efff5ddcdcd6fd3bd28f1deea653b0ecfeb10309750c8b819bd656e70f39ba4710a867ade8d108853147f6f830b9f071d865284007424473d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
46015fbf62ae5605ff0f688eed5ba93d

SHA1
31483d48539bca70a4adf007f49d56da14514f84

SHA256
fb1f5bfaeb92337aa83118b773a526ca3e9ccff4161652a4211664f04da391ea

SHA512
8a86fdfaf6eae284c6fc7252bf64d8842ddd7a1a4cb62a3251d7322e9906bbffe7bdc90a4b58de3506452f5eea92d92b750bce7571b8412e9587404d123a9f2b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
296f49087123f8d03dac346eb4c12fe5

SHA1
75e7ac63e83b8d14460cda747d5524871f46887f

SHA256
72b4adc5cdc1ce3eebf5a131208c195db29c5518601228f0b519a70d1bf51a58

SHA512
0446a6eb2d7f0cc0412fa1e141984e551cc62f5eb3669c612b441f1b1d1408d5f0634bbb9d0f99a4d0f0db6969313080185fed800f9a74af9c1559b5586ccb3c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6e944dd4403e14e69429231133f22682

SHA1
59daf447a6eeee495808c6bc58429ba392e6bfcf

SHA256
6d6d8224572cfba1fa8baf0c6786ed15c5a54d3699605ad015f7d4e09ab63bd1

SHA512
127102273541a411323e8119029ab74a5da2b38510df6e2d3851872c47c8b36c4a50e89ae91b4b63804134fc96f1140acd54e8d1e332ee184652feb45cfacbe4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
553e1693db428c69ba780ba6ec798317

SHA1
7e2879623238e39a8f3e22e5f54603df006c56cd

SHA256
f11bf352d28551504615320ce54488df371662ea91d21311b310de167a20f183

SHA512
55149a27d385923f7211fb324f9261d88d99d64f4b9f70641a908b06d348b01f4aac3306ee63d9d271ccdf02afb8f802f3301ad886e799722ed7a10c8c9d41e2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
61ce9cc8a7c61d6a34709a3a17785cae

SHA1
b9039a0167155c7b6a13033416d0bc16c24e5df6

SHA256
02fda7eb7c631b0037a27019d480f268ac5bffb21cca0ad8ffa9b66b98c607ca

SHA512
0426599ef56baa673accaf34d990b416bff4ec0b5c826d817b8e7e4d7eeb51066492e11b7487682df7567c13c95c000aca9cdf798e13bcc8fd35673c9ddd784e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
98a729dafd0520f4d4234104a9635642

SHA1
749a3d7b59b0a87fb3423f6c51b4128f0d3100ba

SHA256
191aab9389eb473f3527c35ab6ef01bd2eb38ccec13923910a0e651c6d2d2197

SHA512
634392966a0a88666958c33e0734580c1336002143b3ac1db45a07859b51dad7f5350ece570dca57889993d0ccc27cf2425266ec863444ce71d3dd1bc4bb0b5c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c34159985bc360c794c2b0929f6ffa5a

SHA1
94816db359dcf9e2bcf6cec6ffa0a225734f666d

SHA256
43ca18aed76301000e1cdc74db53b82250a6bf9b1380e8a907ddb8f2365b97e5

SHA512
0c9c1281a749b042b9467bc6635a0a20c1bd12831d91feb8513b94966a830f206e449f2aeb31127d6ac8bf6c8e872f42c5f40ccdcd6e6eae76344e02a47e992f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4ab764fb2f2effb537d75afd8a38f987

SHA1
a7fb4b40bd005c9310da2ee6466f0f4239b9f9a2

SHA256
fa2237f82e0634363586300eba3f5f4eb963263a0117cafffa82a89a3f635176

SHA512
45b804fd44da90847b4c65875176408c1ea6f2c802b4ed6519a9084fa14280d7f19f31c0bf463f4ec4b1aa5217e087a071014feaf6f0063db20fad83263dea91

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e717409a88f328fd99ebeb3d072dd603

SHA1
c6379b05e32b9455610501e5c4912527f4cd5a21

SHA256
66a4d280e61e2c2ff91f1b69ed778900d8ce800b17a12724ea64919f06b78d8b

SHA512
7bac1979e71ac1d52649b09dc03ce3e58ea5585ddd43aa04bce76c01bd898d5f1e7e6ca927851e5e7c510f09b88536f4f7de66af4e493690364ddcc7aa261dab

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ed8a4a984731a27db05dcaa1f0c77741

SHA1
7e0578bba25c3b73e28eda9d7bae8fbd4f520243

SHA256
218db1361eca17190f2308d0fa488f6f06d4f72b66cc2659643f3098986fdc73

SHA512
bb0c050f162d9c4c81da15ded84c5fcf87be6c5ea06d592fec4cd9976195a13be987a14158b3ab5253a6776319efee7c18fd5b8aa0cdb6a405b9e84f33cec7a3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d797b9c05d0d34b213a9236660e7d348

SHA1
e27ac4940ad13d5f3d146d0b10b35c700ce9c3e1

SHA256
b7c0743262bbb27a98af3600ee093eb447742a9e54caa79cee5c06071addd181

SHA512
e6b684df41363038d76e8881e5cc8c96ffc6a90eb0eeeb087cdf7d278811aba02370fb28fdc624a02e5f3bcd8500b3c6529e14ef5675a7e8e0574a5ab1855436

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0ca772211a4a4cad01c55c4f0b434760

SHA1
aea821f8371d128e5ec3ba41677fc81be3a323e9

SHA256
f37320ac91c4d9466458c61c4123b7d85cc144952ade76e0b07eb7cf1e5225b9

SHA512
1955555d42161836d85fa71d10bd0f993f2112d27d54fd85de8cbfa3acbeb144347c70a2199982caeced35c06df167873590a082412f61f731b82a78cecff850

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7ab9a3009e40c3624f2be87a2fa17e9a

SHA1
9be4064c1f39cd5e8956761b9f419eb202a6538c

SHA256
607791d50b83dbb2c0c59c2aed56dcf5d0edb3f216f2161cc713d21959d9fa09

SHA512
5ed28d6d6d60bcd79188668367e042f77b20631b340686cd37b9b5d7c54aa0fb82b1f2c805fb9e0c1c3a2205d0c2e2c6ff5c05f9d0f236d1798dc4468471e461

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1d97cd173009482796c296d096ac910d

SHA1
cc31c3aeb00f39fb07a048f66efcbf4e29bfec15

SHA256
8d8e2dceb8e3e6f664b1c64b3da390aa21e8d7b9b0a369e2b4250e641b32c5c9

SHA512
00f30b84d78c0b35b2e7f178a93648978cb54d161849bfd02c22500f92fec0841ec676e915fa9d08b2aafb95c569263a051365187879c99ab3bb0fdd9bece557

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dba0cf554b7961ddb86e8c55491bf2f4

SHA1
dc88446bb377776dd620f40b2df05c6b9a02e8bf

SHA256
e496a004b69f6a2dfe59ea9fcb0e4782da2ca9b29159aff3991ad9197ca932cd

SHA512
8516b8cba264406add27e051681a0ed070d1db7f420f65903a4f4f9d3f230a4f95aaa9e6613208602f3b412dff49ed7defbf2e4ff0909b586c59dd9d39734379

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3cfd6b4bbfb508a5ac20e37b2a064de9

SHA1
243971b67d6ecd7c841fee84c5b100860bd53178

SHA256
b0e52e5997d7eda6c0d5a06addea4ebe0bd1f9ec8657fd213fc2f410c8dcacce

SHA512
925e59d09413fdf5298ae966e0cfc213e2f62120c1eb8f4e80eeefd66585efc5c287357d83a7f5fb86c6337c4d937e7927cd3f59e28203780c9948d77222bcbb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
604958dd60ea175b1e382f4b6c1e03df

SHA1
39866ed2a0effbf8b04efb53e50b5d9cbaf2fb99

SHA256
0e4e64cfda7e2574e924e817c8070c8a651ee347574364ffe90ffe471ee0d436

SHA512
a67c4ce6f5d59fbc7fc24be440e941c4f2dad9f220e2f24f8c527bdb1817a337ba99c65b7749fe9f52beef168ad44d8317e63639d9c77c4b97895983e5350245

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
37fc9ab8ff67cafe5766702e65835874

SHA1
4a608f19edbe67a9c1a0f3bf1313c90b65e117f5

SHA256
0612d420c79aa40567735db5d3599452d4a8d7443d571589db1c9118eab656cb

SHA512
25a9589f143b705caa2856d6bcec7f87ee4f79b96ba31ac499b5885b73f3482f0437a0fee4c8c33b7721dd561c4eae1e8b8fc88b7de1645cd1706c97ba2aa2c7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ba63fcace1a9b471ef80a1a604d47227

SHA1
ee7fbd9fb1993e1c72005e7c50b7a578fd3f8b51

SHA256
7641c7b47709283a00ed8437279aac026f6160c528e985992f8bfacc41f0f34b

SHA512
5203edae9ff0ba7d80cf71b2b68d0e9aa465c8bf69c0797d884ff41c38fa7deeb454c35a1a604614d968dcbaffdb32ffc17ca0e36c8e3c7a31e6f90fa8a8c5c1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d72ed487bdb13335f56dc31986cc3faf

SHA1
1c78a04ffecae6e88d2c6d72e79fc627bc95cf13

SHA256
ec4b8e69944f61f0119866f3a08d4b961b4d5e10f7419398b46181081b626af8

SHA512
dfe59008f173aa7ed17d5688a134ad7e649d903c97fadbbfcc177aa15a3e1de3b15e689239b5ca60bd4c3c9c010d0fb7fc98da6b789cb9fd6076321983c01092

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d5e28097de32b1403e088f0edab04e61

SHA1
7422ef10c2d85233dcb7264d2f0ece4357c6a92d

SHA256
893ef0a15fdd5f8798b0448a14a8fc6f560571e038225dc00f30434ccfbef12f

SHA512
fe2883d96cc7eed2e1a78438247aa423bbec0b51a7bd83481477035e0722676d6f7222eb61373ba6e13ed86e5c76695d73989060f3af947868c85935bbac69e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6b5c29ceb4b32f98ee44297167f42c12

SHA1
b04efdc1eb674ce25a58a200645f1e845075357c

SHA256
8bf4900361e73170bffd0a529048129149ccf4e54bcd2e76419c904bc56d17b5

SHA512
aed6dcf02834b278877df9ab29ec7e0a23859dc49b087fbd916f0512c0a0bab2f7592a34e35058bcaf1f54b883c66668bce8845f01bad202dda6a3e2ba77d584

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9e7941473f567c45d1c90057291e0203

SHA1
4435c77e95c8241199339cf22b3ef0de5d3f2eb9

SHA256
c543e13d57ecb7aafb1f06a495a957c3ab872b4b7747d656a3c8138d863c9ab4

SHA512
afc39cd26574700d9834a3a1fc8488013de12f7154afde39028478223eeb4910f50f0a7519011cb4da3a1818cec5ac5adef08bf8b854c36845cf690bef70e649

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
6ae38814957965dd136b9069e71bb499

SHA1
b20d8399320b1bd16455008cf07b0350ce58d4a1

SHA256
743435834f9dc7425fda6198c928692da963715bffc30349f168575d9b9ab787

SHA512
9b52ab0b6a6af69d1ad053e178aa407bfee2602bf80cc1c63147a00ef450ce78f356c188f64122b47e15df3e7c9c863fcdba8edac306ab4addd23f3c0576b53d

Download Submit
memory/60-169-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/60-410-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/548-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/548-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1168-21-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1168-111-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1168-15-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1168-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1580-403-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1580-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1608-63-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1608-59-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1608-65-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1608-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1764-160-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1764-408-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2252-143-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2252-48-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2252-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2252-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2572-39-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2572-31-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2572-37-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2572-131-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3340-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3340-107-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3408-378-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3408-119-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3588-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3588-74-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3588-147-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3588-76-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/3712-79-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3712-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3712-5-0x0000000003D50000-0x0000000003DB7000-memory.dmp

Filesize
412KB

Download
memory/3712-0-0x0000000003D50000-0x0000000003DB7000-memory.dmp

Filesize
412KB

Download
memory/3760-83-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3760-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3760-93-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3760-87-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/3832-341-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3832-116-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3848-81-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3916-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3916-409-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4052-97-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/4052-159-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4052-102-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/4052-104-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4296-405-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4296-156-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4368-163-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4368-108-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4384-152-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4384-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4620-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4620-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4856-399-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4856-132-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4904-112-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4904-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4904-400-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download