996d81bb12ea2bff05c2812d52f8884a67bb1ffb6077b2dcd9f3ff5d476b3c42

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
Size

24.3MB
MD5

01f2b4dbcb845b9b019cac48c9c4d242
SHA1

99f10f2514ae2a83e22c67a7d3a3b9850fc0f15f
SHA256

996d81bb12ea2bff05c2812d52f8884a67bb1ffb6077b2dcd9f3ff5d476b3c42
SHA512

c98301ab5d6a15446b9b6d82253a3e69241d733cc44c5c410fc2f9addc44bf2ee0834767e2add1d4bb3c3f6479ced37fe09c775c5be9f862fbf9c8e952a11e60
SSDEEP

196608:UP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018QIm:UPboGX8a/jWWu3cI2D/cWcls14

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
60	alg.exe
5092	DiagnosticsHub.StandardCollector.Service.exe
4168	fxssvc.exe
1496	elevation_service.exe
1020	elevation_service.exe
4924	maintenanceservice.exe
3196	msdtc.exe
3764	OSE.EXE
3428	PerceptionSimulationService.exe
4660	perfhost.exe
1928	locator.exe
4144	SensorDataService.exe
3028	snmptrap.exe
3960	spectrum.exe
2648	ssh-agent.exe
4460	TieringEngineService.exe
3564	AgentService.exe
4412	vds.exe
4768	vssvc.exe
4924	wbengine.exe
3528	WmiApSrv.exe
5184	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6e0eefaf74f8f84a.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{01C6D80E-08BA-4005-BBC7-FA9D9019DC00}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75234\javaw.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbdf077e2e93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003620a67d2e93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007968307e2e93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b54f997e2e93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c80ad17d2e93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8b37c7e2e93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d728927e2e93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fac177f2e93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4168	fxssvc.exe
Token: SeRestorePrivilege	4460	TieringEngineService.exe
Token: SeManageVolumePrivilege	4460	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3564	AgentService.exe
Token: SeBackupPrivilege	4768	vssvc.exe
Token: SeRestorePrivilege	4768	vssvc.exe
Token: SeAuditPrivilege	4768	vssvc.exe
Token: SeBackupPrivilege	4924	wbengine.exe
Token: SeRestorePrivilege	4924	wbengine.exe
Token: SeSecurityPrivilege	4924	wbengine.exe
Token: 33	5184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5184	SearchIndexer.exe
Token: SeDebugPrivilege	408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	408	2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	60	alg.exe
Token: SeDebugPrivilege	60	alg.exe
Token: SeDebugPrivilege	60	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5184 wrote to memory of 5716	5184	SearchIndexer.exe	120
PID 5184 wrote to memory of 5716	5184	SearchIndexer.exe	120
PID 5184 wrote to memory of 5776	5184	SearchIndexer.exe	121
PID 5184 wrote to memory of 5776	5184	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_01f2b4dbcb845b9b019cac48c9c4d242_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3196

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4144

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3960

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2996

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5716
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f015b05e522ebd4931579061b55fb5df

SHA1
52a8d9e8e31b831310ab7f36847b6201b04ce363

SHA256
6f982b2f6b7cdd2310aa975d05d207a1466c9b2ed9fa537a9696b851303a2aea

SHA512
a6bff43ba188808fb957d8d4e625c86ed2f18a6db265f66625c01951982e72e77a87e55465292ca271026535e5c66ae127c4ad69d92ed89d0bbd5d6ac739337a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
02bf81c763eccc952442d584d94a0252

SHA1
c8d8f65e2e795cf0af587603a3b51d56dbc541ec

SHA256
d4a7b4711dad957955c79b076c37d86a6115f90a70111fc5ad055c9aa78d1dce

SHA512
64b85f37112fd5038f140833c07be65c8cb194de47fdd77423c30dd7ef6bc8fecf24560e72020a58fca4a9e9540716b592740efbabdeaea00d246d4c50dad672

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3ef0e98ab4a842ce1a08512d4d83784b

SHA1
7a9949c1ffe0968acce0d41faedd0526e8a830d6

SHA256
7ebaca6a9659e42c8dc3476a87630152fadede1e4ef83e03387c0f8d9f388f6b

SHA512
25d7cb2866a6df15e0bfe4cf14e0673d69608ed69ac11a939fe257d29f0b27e6f69fc4d300fb4c08e5b8dfc94609d8f08639b396a5d049a9dc4c88e6fbe298f1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e4a802f35500a753c193a5eaf8c92ebf

SHA1
755f1202e7fc539bea8064c37559c66c06269e41

SHA256
209425d627d1bfff19794115ffd7a7c944a0357afd2f8caef969c92cd388ea34

SHA512
cd07152955353d5517628641e789dd375e18946bc09022373ed4b8d6f1777553234df4fa6c26a8b63320b7d06de6bf01a969f58f46cd9037ae4dc7ef75d422ac

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8a2181e2fdc4dda6d25dcd5f68e88825

SHA1
69f24876b0b22ec3cfb760dee4210455ebdf7448

SHA256
25cd9c4482960869b56a0417ead864021717f6a7dfc24352070ab08c4f54daf5

SHA512
138b911328a0418a8c887b566c1fdad2567f2938a7b08aac5fd8252ab828c973d291f9463943114e1a19a0448f57e991f9e4c598751eeeb58634d151659b2d7b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
f061ebd532ba91a147b91d31718603ec

SHA1
dd4d1583b89a780ae8da028cb3a678415e7da944

SHA256
65c676a69504b45ef0b1bc6e93a8ac84ad9e665dd6f7aa56b94f70d79a664719

SHA512
2f852d927c72af773a3c29257715f6185a13e8c896bc0090690ccb4922cdac19d69b8b15d976a5f24709708e89f82258e9550cda40133a69945920ea7d0cc801

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
19cece4423570260d5d3afc941f82927

SHA1
222aefb410b3c6dca427d12c9f425bb84f2fa032

SHA256
5826600d78c658ca0eda1ac26648eade5fa4d8a7f108a0fa5f132c76c5e24b4b

SHA512
b3759eeae5593620c7a5441e4b8646b8a384e8af9e4e3d60992c3ac30a24e8d5ae2bcde4a253975a1bbeb8508153e8485698c88fb96a3c024a3bab4c1dc20226

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0b419c44579dea9fe49a0ef4d0d06241

SHA1
b95236218c4d030721f4a6e817ba13e89cd0f938

SHA256
4b6b2a192a64c2f6fd1c18a25558781ca2d160a5425f107991029c98cd4432a1

SHA512
8f1a225511349fedc272792b8d9b78846d24a8eb43ff12bcedfa033b23843db6050cdad5f08124a1c3a13eda18d1f3f4964620676025d617c11f98c02ee47526

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
7dba527a8d0de398ef833cd2c11c0b2f

SHA1
18fab41bba884b856d7879c4698b2200d263e52a

SHA256
9288c84e150ca56253ad45aa38bd9e63d718a95837f8089a732bf417cd605794

SHA512
50f23e8800be6b96200e3ea11056b03d4f91b6756502aa816394eefc98830b958530ff2f14727073fd0fe6beb78d61458c54258c51ceea17fda9531a22e4967f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1ceda4cd9182160fd7b05ee63629b8cb

SHA1
bfd58e8457921ee019ac7587ea7756df2814cf8c

SHA256
cc8edaf5cb2150a4814aa9572105d0821d81e37cac80708a78c0f5d06233cf7d

SHA512
1d8db9d3c1abb7785a2fdcfef8591a3568a8938ec1d8d7008dc34dae79d5ecbdcfb02ecfc55a155a3c16e1c5b49244adb331127ca1bfbe46f34afa30f548bd3a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6c857f8911fada0c35aa43a0a9719f1f

SHA1
4b6024a1ca6a7bc7489919a61b497e18754d92b9

SHA256
383a0d6dea1ce38784c4350dc0ab06d8502b4d632b4cd9e85668ef7cdec25166

SHA512
49c05d8ad4abec0a9069a4070e3a71470fb61eb39bb7e77e360b3825256d6700494128414bc4d43f7e0df362112efaa10b04ce80c3f2944917b8dcaf647e1105

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
48673850eca1f525fdc4d8e5c6097556

SHA1
9ae733dee3cc9a102387c9fd3c54c62f153ba037

SHA256
b1fef5971746694569ebe96cb32bb54a05433ded2c86c6e2b29924970822a4c0

SHA512
b99d56990f0a73c8064b76bcdfae1a2d245849a2b640526e85aea21ce1d24fa4d654d3432faa5ea664c44d319a0ba14230cd18ed9c620b061efa4fc1c4aa4159

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
105be04ef1f1a89639dfb9e8c21c7bc8

SHA1
5a11dd6045a7a354535e67e54e2ff10a521c5fe0

SHA256
22361b1bbaac82a82d27abc812204620f681b7e6e96d9f683fe5b487878ac7e0

SHA512
56b1eae0aaf16ad8defd26942aa8cc95fd94cd5ee406b4dc8cf95dfe80abe1da64e45d9b5617f9c3806cb1d7a68a67f16a6a31dc674717fc4568d7842d72a12a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c5c57b6d0a27c43cabab43fdb0fd12ca

SHA1
91359e9b87e7796abbed1c445992922d7be1140d

SHA256
a124751488766928f1e77dd9848d7d95b9aa3d08763eafcdb6acac7cd10f257f

SHA512
d7eef475dd99ad4b2a6a1ee8c785ffc3b44ec704ec74db7856a930d3f63943cdfcf88f25731d3d14b7195cf7c05fc7ce9fb51d8a6b3185b38595920a17d8a161

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5202acbc605c1d3ceab284ffa9f172d8

SHA1
3893bf85d8cde165c50bf967c8717b74428cc364

SHA256
0e5fc65a153ecc1e6672feb588214b1491aaaf2b799b4ace4e3e3bb2c228c8f1

SHA512
29d311485182eaf98acefefc650bf7e631468e07a3a2d40a7bd36f1d4f904c0957f25ca9d868cc4917f43fb6f0ec00abd59224beda7b10345cef4b443fb745ae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a128b8d871b226cdf052286c913ef011

SHA1
e570a3680e4cc91761f4ca68ab6b26a254cd3126

SHA256
0d9d19fec2b6bf7f2c76a39bb5fa951f60a7be63bee6e394f86c93fa9bfaa071

SHA512
7ef3403ecd1b64dbac80caac2c1181d8e246882f03a09bd448e7a6a1cdb794ba29186f171fd99ddc846711b6f260c037ae3278fa153a62a3750c09443210a765

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
34f65f681faccc8aba940892ba1d5f56

SHA1
97a5ce047ad8403360270d9fea93f3d9a835a98c

SHA256
dc7120c14c84fb0c2d1144551e7b62080c5b7d50b94cceaf2445f986860cd2a8

SHA512
855872dc2aee53550a8508064da157b790069895b597cfedfc8372741c3e6af625f1747f6395d25f9f4439befcc37c5ce5ece89f609503682476f8d02c775be4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3cd763647604aa1ca52af21bd65698bc

SHA1
0cb2ceca97a6ecf317fb7edd64c029be0db6ca75

SHA256
7d49adeb774678954610b892aa3a0b8ac3aea742fd58dcc2321db653c5e6dac7

SHA512
f4579d171cb117ab5fc4168caa773efc31bf24b50c5dde34959469a8f73b1ac4fcccb28569e8f9b1bc252c7922542bdae89bfd5021edc00f7787bc3a1d37a9e6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
24ea26397cad0074c6174cf523e754d2

SHA1
2bc88949e4cadb0b6ff261ecc1554ee6057608d7

SHA256
2c8374b536f278f19b4be1c6f0d76cf78a5735040b31d634aad1b6c23d354914

SHA512
2175ca2a8ac023c1ab02f901f5cc383eb3669e38e9cdde73cf438115fe53ef0d2d7d826fda1adcfd8307d5fe4f3d689107ce906b68baa86061ca4a49cd70d7c9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
c84e29ffca0b93619f8efdf884d82f93

SHA1
87193656e65e2161b1fbb23485e2500062d76efa

SHA256
061bbcfb23d57af6e3a6166d3420f91545ad98fac3fd44441638bd1963c1a5e8

SHA512
113c68f601a0545f773c99032e7ca1e375789040ef77fc97ec55c55b68c930f7599d238b8e124d4c61664fb4b402a533d2aa6eed105097df73edeae327bd8da7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0f54767fa10f3185ba590de3907d4a5d

SHA1
c9b8bb915dd795c6e451937fa21ee8aec0f7bd7e

SHA256
48efe0d5af64f2ee4d8c199be272e13e83a45d69f4577f95822ad1213c48bf03

SHA512
f7811cb4da4ff8e398f982ef81d68155f59fecb6dbebfd3d28451685380dadcbb0dfaf56d1b447938ce77d5686f1b3d0db3beddea83175e4191d86b4a43b20a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
bb6ba72fe18cf8e18d5430e3cf8d4d6f

SHA1
290996d8bf90398632b95982e07672f7bef8c235

SHA256
58aa12fab9103f74dd4ee4c263e658102c4439fb6ca74ce3a6c56aba72deb0b5

SHA512
0e8ec61e469defa9180e8eea1f682557e236daf298aad7727d6b0b32382ea36fb24d80a03800e9ca6499729678df07197304cf82c74f13ca68d6bd91dbe670d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
801253256b49c50f5973ceb8292c2338

SHA1
7e2b6e83bb1532643a5fecbaa7731fb9d808d007

SHA256
8a15cf910be611e3a8a1af2c34bbed9e119876190a969eb8194758a31697e966

SHA512
1c16c2d0521728738399e6159345ad53ce4aa139a6710c29a7cc6c7656d0065429b6d32f46b089b35e133d7d6a1edd0c84054d416d5129be2207ce2224f7564c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
1c76818e6e775270142d9b47c37bd449

SHA1
31a79880adfe78f59d081d44e07f9d54f7a3fc6b

SHA256
5f92ca44d00dcbaf83658922dc56b887d6f765962cc179951822895346cd76a2

SHA512
485d25de9129999410686d8cdd7a2f33cffa4bf77f06a8d27f293d13c5bc901023dbde7f36302256a9ad7a034b9b85f3341eb93d4433f1a2ef1a07beda7c0968

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
9aa361f337822f57ce63bc5eaec45948

SHA1
b5461ed3f69d6c8eca972bb0e0da8e67599b0a2f

SHA256
7ef763edf8bdab75fc6991c05cc00ac08cff87f5512a1cd57dc725af6e9ebada

SHA512
e1d6943faa121cd2fc798fbeb16b7024e0747e6362a6876d8b5f3aecd22f6c4a6eba9612c74ea0848bd79be351da9c283b1fd13e602d1e532e0af48de062d220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
61520f01e905b13a0e628b3fb601c3b5

SHA1
f98621597f8cee4fdaca41351c6bf61955c67ae2

SHA256
94c93184f4b7d5546a71176f2a5b4372fb663c62ac3149ce6d7f4e5febb6aa78

SHA512
4c44982cc2aef90458a9511206b8770c5971cb48da98052bd7852cb9ee4fc3c27af518895bae47530cb3d1031867baf0dec883d6bf95f3f45ffaa7fe91d75991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
28a3ab73245a4f1f2747391ef47f42bb

SHA1
6d14a67d2761a56cd0572bf679018da923ed96db

SHA256
e14f1835d5f311719de0ecde3e55eebc2e43f4a223d321a453e2d4cee3049229

SHA512
e1eabf3a256a4f663442e50c4ec46427292900d5b341e547072de8c494aec209f6ceedf5696d22f46b71a07a717c18527b3854fd547b79e654a90b57da4182d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6461c97e6305951eb3ce7b2e815221cb

SHA1
5db97b09ce63069b429a31ce3b78f9a433ffae17

SHA256
bfd9a2dfc05fcccf49f5f8b39c94a888f3d8f0c168f681d77bedf3d9dd022c0f

SHA512
f5ad6caaceb8fb3e0280aa38bc716ebebdbedf41cae3c1e0c55a22ab051c0148d0b6575f6835a8f77136a77c87dbad35a254736a983890c561c517311740578a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f9913d87ab548e4aca7cb7de28319313

SHA1
9dfc0ff734b81f26f3d73303868ce4297d589e2a

SHA256
c835fc3cc233c0712ae66b42d3e82bb6bb3f9b3cef2047964e2ff5e38ad32f77

SHA512
74c35bf5ad6216fb4f80bd092c4b4120f1a320af6daafbeaca4892e5858dc8ddf4bdec657f98232f6788fbf38bfec20ad8dbd63c1ba4600e624012ccc76e72a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
21be3a3d1a51c74b766b3a97ac8086e1

SHA1
32bcb782a35cb86a973fcb622d9fb7d5d9dbecc2

SHA256
2bb8f896c85cd8ac1e5b021947c1ca3c47d69bdf20db6f04baa958df9b6486ed

SHA512
e9edcbad96df66de88ed80aa5d510c9e0d097f3fafe30eb76457620d1680e56a0b79f6e0e665a5f6ab212992e308a7977885d75b9cc47b51276c46ed7eb2a349

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
64afbd65021478897fd57cf5c2ba4a21

SHA1
5713c73ece4e90b77910d971ca246de673556f17

SHA256
03a8107587bfa7f58093be0001e8799234b36dad373c0a256ca7d47b2b935f53

SHA512
3789ed19f55a7088f50d7e522255904349251c2fdf696f0e73e1c774a92ba772c7e72a57447fa95ca1d6b4233a64701e779f7bc8a3de30ebfd14663203a3a08e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
0c21603fdbd62b12faec084ca802b35b

SHA1
e0472d797675af1dd612aa845f2c226a21402e39

SHA256
b91c7e46052f350cab1f8572675e004ccdf0dcf21049ace463e154cbccfc78e6

SHA512
219e58c7cb762afc56bdc8056cfe7ccc190a295960b9b3f6703a34098dc0c8217f93664302e5dbb6cfb8c9c3990b412a7c101f86a5a4846ae41980c1fb90bd07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
8a62421b76eac8e6a68f0e7c07dcaf77

SHA1
de7b667e1764a688e9b3beeea531dee8322d0232

SHA256
c7e81adc096326626052cb749f1c7824b97b7c850287e83d48ff37bb305ecc0d

SHA512
d454a1b76b8fbdfa3d94e74165c1e6fa909ab9fba570cdf62fa814e421f80ce9627b2abf5115ba3782918ef95fd89e6bd535c0ed01588528594d33aad93489db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
46a805871c19572fe922b7c5fe26f099

SHA1
1953680ff3a9b8b8ca40f2a3848017e5cd3560ee

SHA256
66f6d6c1efe32a34ad566b5fa64af3f5977df4725c0803b96212e693a0ede78d

SHA512
0f310eb44871477719a16a3f6f06c54b3803dbf7dce289436c367e5142555c35a70d4f0524e4e8bfcc6f89cccb269bfef2722c76f56a24b5728e1ed7a6357f21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
ebbfa0bf7381612105515babdb0a304b

SHA1
989b98f05bd2464b1650184b2067387516b69344

SHA256
87b7bfbe5752254814406b2d0be135557c2fadce7b25e6937b366b8d20c369cd

SHA512
6c3797c84fdb5a5e4e1ac72ea13c793ee79cbb5323348199c84cee6fa41e6ca4eccb769150b7445f3a740a683932eb658bcf3c47a7fdb93daf7353f2a792be4b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6656c3a5e17f248d24b66557656ff1c2

SHA1
b48d75e0bfa28cf75e32136953282eabdfc0a76b

SHA256
db2123d80d536c6734f25b4074181f79dc5ab56fec9de6abfe016e7f2ade523b

SHA512
3a19665df5e343179e51ac2a26b668ed4c4dd2a683278772acdddb93d01bf600981536ca050604b8ea65eb8eaba6f27cc6012fe7c62f8e803bb6995b3415afff

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c72ba3325d407aeb54e5362005fd4bcc

SHA1
0c7c9d243d71e40aacae115bd1922fe8ba874789

SHA256
55554e951fdf2a5b2d1ea8feb174c7e6e1fae1e5c4167e90307da6f741101548

SHA512
77ac329621ffe1a3a53650516d15cfa907f866566ab9752d87e7dbbf816f752981dace4964b785b029eced7960b9d97d21d6ec44f1f6085104be9a49bc31dbb0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
aa141991ff3fdb6b30c8fde1d3ca1c4d

SHA1
ca463bda78d4f8065fcf6291fe31799e469e8b7f

SHA256
4adf3a0fb663ddad276b77043fea47a3aefd8aaa58a67ebfad5d413b86f31475

SHA512
4551af40816fd61dbf8a07a2efaef9b87f5f98817bcd8209351adaf5e5f9dca664540f69fa8f3a727894da4663c82bc9501304735036e645b598af508f5b90a6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ea887cec04262a91a2a0c47f2acd3fb6

SHA1
df61a3065b20421f0cf0f5066252634296b7b87a

SHA256
391b4bb6b1f4d8c5092083359164f992c1333293b95cbfee75cc9f3396ab957a

SHA512
12b7949f011dc2a1dafb2b81e25deb3c464729e1f14b76b998f7544599c979e78f726786e625de6cab893c8c403ea8f341616c55c5c71925e85ffb45f5ae3b98

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ce57fbcb1f977be55b03164c183d6af4

SHA1
331a85cf1e8e12234690ec5af9b0586a9d642c5f

SHA256
1d9b8c7357db801a151a54d5d3f42ea3bf41b23f1c42b73061c9c2f756d328e0

SHA512
d71b8c654d7bde1582ba419af253d5e97e4040933c990fdbe6cba7fdd7500dd6dab8e8972badaf86ce530cafa6b3f00d526746802992f7d2ed319eb3e8052a58

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f71afac0f6afb757c007284c207e6e2b

SHA1
3b763805893b195d9358ab4634f3334a9e80d8c4

SHA256
c12e360414c933b5bb3bbfad9fc33a078caac4c5c8d53812c5576f1a7280c0ce

SHA512
50addc1f4f9e11f3d9b75f72a2535a003591b9aab9de9b6f0f8b286032c6400cbe7435e1652bc56392ad6f173375118583621c709cb1263341146dffe9494aff

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1ee05c450f6ac27680a96c9aa7a2ced3

SHA1
c4b3d5408972f149625a1068055ad68534f66ce6

SHA256
f3fbc965f2eb18d12c7cec238b84b0244a7eebdd562d97c636cf87dfc1989205

SHA512
697f3612cad15ddbd262532674e22b3bab6c06436d5ce852214dc74c1eb0034df13e4daaebac0b3a7fe76d3da138d276236966143cd969e5544bcd53282c282e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b0aad5b7aa5c8378b6ee3fce08dbd94b

SHA1
303e1cd94bccff8846e22caab8f3c7be3f0ea4e6

SHA256
78014a191269c81330450b420d5d6cc94d6fdfd69f327b74edee4e7bab77f01a

SHA512
67ee7c27aae5c073902f6ad7404d3dab9ae50dc606962196598409ab76428b9b41e61e5858fda0c1d76650bf1543386720060153cbf5a7ecd87bc76f55004e9c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
564a3e5d2474975bce9ab5b5ff102270

SHA1
9fb8312f9909ddd25d110ba02b2c8860f668b68b

SHA256
1ffc93eea94199fb25fcab0f28d3703db5bba5af6483b39ec3f1bda98c9bc81b

SHA512
322996bc6fa114bbf131672a970cc846ec105b604d84d4f6bfe64f33ba289ab00c890f4be6be59dbf153bb6e4651837adfa059eb73fc354306531c2d373127fa

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8d5c08330d003f8fb962026ca209aaa4

SHA1
ecbd60a487b75af855b3ad1511b15d196241def8

SHA256
14733db97714895c2dbfb2759e372a5b8fc56fcca98d92bd5540ed9ecd74a10d

SHA512
91a23907542b4c7892319e429795bf9def14d9d383d33f4f990013f9adf3bb1b2247cca1a5dd609ba355e2344b4c9cdf5e6bcf8a4ec955600a759369389814ed

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6a8e680b2b65ed482cf27b6a79355750

SHA1
5dc00c3c3f9a7e541e49da674610520de8d2e729

SHA256
0fed2fce8ea8e3eb981e8e34b7164bd6fc6dfbe030f00fea2a986e640c8e0f68

SHA512
258827b80cb8e19293fbcd63265ada542d7c84628b5dc95ea1b8f17341f1ffc04e6043d5b11264e91dac8e7894703d9831fb7e8339aedfcc4c3069c2ff827f8b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f79aebe0c0ea68433a79641186bbf979

SHA1
8cb283449b77b9ca362c3449786ae4355a30c658

SHA256
33bfbfa9b542859795743ed90962a55bc70464e4800a4b38960bd8296bc86849

SHA512
fcdad502082da3ac33a73a1b249d618766a119d21c12b1dca0330db06b4df83c4795bd7f5f3e51c83da4e99f8ad696283cf0d1217c26762203ffc6b2f35bb2f7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
60294c43df46121bd26a8dd1a1f57aab

SHA1
f1b4316b52dab01bc9b6b8eb09abdcb2996427ad

SHA256
de887a1210bb6bfe630a15fe60ef5297c9f610c39ba12c5f684222dde3cfca8e

SHA512
5ee8f17d2ad5eb353a394f4a223840d01c5647876eda490c3ee804e7b66d915255b88a2dc3ba0473c16909ca842cd78205e471ee08661bf70eb4868f7ae91bd8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b807094a173e1426ea281e2854972aa0

SHA1
e346fd73f6fa5a0b95d5f2a083de41ff848eaee9

SHA256
bb10f909f9e028b091c0c0734405f08c5678c09bbd2e3ae9641db879a30b035c

SHA512
091a86312d243149f74437cc2aa5165d92f1236aa8b703e8f3d49b4162e05eea5713138b88161eae7aa59003a956fb0ae5bdc601e38a324ea43a0c303dfe93d3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ad3ec9100a58a1bef103f3bef9a971c9

SHA1
191485987ba6b7c89a4ce79f8ddb8c252489d4f4

SHA256
1f43b5d6a02389de42c2e457ef1009e4a2a869c1f4f02a1d179d647e23fca57b

SHA512
480e7d92d6a3a9030b43b84121a1343bc39ffa02340fa89018ae2baf288d42f232050b025e8f7f858f20bcded60915d95db2f145098652743a5851e0e1a59c0f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3019cab17aa154e8180a772868e438b0

SHA1
cd917b2990d351239dfa20cf22002ac24590faf5

SHA256
af220abdbd857a0a513c6435e68b64e252ec83015c809b9bbb6fcde65c6e30d5

SHA512
200ce3dab5d4e764da74ee112738d74101cba71ca654163be0177814e30b611a95e3e132b34e86dee09297eabcac197ada1a15b482e16be3f10a032e2e1207ee

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
868cad4f4b356bcc29c7d5804b5812b7

SHA1
a1b3729871fc9749315e332fda22b9f3df030184

SHA256
0ce4b972197b284409de28bd128484c0200b056b2775c9082ae84b9b186031a0

SHA512
1a80a9bfa8235722ae9837260f929f7f184bbd9d217be8db701ce2b6b04e5b6b9611aa6acb6667232ba7e8caaa8fbc9563c431f4e7cec219ffd7ff7c34d23792

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
91802a0c3ccebd98a892f45bae436d55

SHA1
ff69a9e37fba9525792d0c69e9b350a39f195459

SHA256
7b2f437e59ef6ee6356abad5f3ac1050a12922bf5c33f103e1169edc82a32d1b

SHA512
fb53d1890f675612551f9ec93e8eb01e6bc1f44f010876c6b6e1889d46d0b381de38e5bf0cc36e579a721f928b73af44bdb6b50facc7d8f348bf183eacd9bb5c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8de1c62662525e67c241b8001398dbac

SHA1
2881bdc880d03e9006c2b91ba0c58ae815d4d6ff

SHA256
bb6745351aba3d134eb4013ee6071dc879187257e68d1fc41ac2de530ac67c65

SHA512
2cfbb389032b0336798e32cf567f63cb54682544720ab270a6b3f3dcee3dcd3af93bd1827dbeb3047b2b7e86e7b966e79573f3495b808e86106e4df297d455d6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1c8220159568af29ce6f33a39b255932

SHA1
2a182569635620dadcd1b6b78ab076f7c0ebe994

SHA256
a617541565d0d8f8bb35587c5e11b57a65ff50a8908948309bcfb914b2afd2f6

SHA512
4891162d4b100d663ec4036e67c6e9b3db491fc376832f5e5e427f021dde5aee4af4e1ef34513760d21052935b841648e3d3b8a61ba672a20f6449dc2d64db0f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
54af627f8dbd1c2f6ce0cc3264aae30c

SHA1
394e39b0572203181f10273f5866d1529901ce12

SHA256
493fe983da28e9be9ff6b043dc6f19dcdf6474cbd176013505f88cc401ff3250

SHA512
c06fed96a8410c8705fee9ed048428c87b035ccbc85d674774df908f39a9f04e24bbd7222d75ee8e13a9fe50d2e8ea4f4d66067e1801c8c45bbc4c818191979a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
761a792f2a0dbc0044022c44f0b7e487

SHA1
7bf1e5e5c3a3a53d88868efdcb90665aa09d6034

SHA256
e219623478d8b26138f5570e70c864acb9d0b696f2f962e27ec3240a1a35b8b3

SHA512
6cfda9c3dc582328c6e83b0931aa793cec92234b6abc8237faaf28fad3b36729ec7cdc805b32bfec3a388cf68b43ebbbc428e157a4c6c1efda4479df6142610e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
8be3ca1dd4bb2de152a6ca74ed628550

SHA1
9a9d3459714b5b3ce34a807fbefe301808aa3674

SHA256
5950aca7379619de68faf6236a5eae29e9e8ae6035aa2f0a97cc9d4c6c886a8e

SHA512
224023b0877493ed97c6ee66f7ef6aaeb749ed987d42766d9ad49b169a378b6eaf8630b09942d15819948416847409d373ebaeae274fdd15a046842049c5d0d8

Download Submit
memory/60-19-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/60-12-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/60-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/60-75-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/408-1-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/408-7-0x00000000021C0000-0x0000000002227000-memory.dmp

Filesize
412KB

Download
memory/408-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/408-66-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1020-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1020-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1020-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1020-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1020-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1496-50-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1496-52-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1496-58-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/1496-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1928-204-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1928-139-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1928-146-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/2648-199-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/2648-259-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2648-192-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3028-234-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3028-164-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3028-174-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3196-93-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3196-92-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3196-101-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3196-157-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3428-184-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3428-190-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3428-121-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3428-128-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3528-275-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3528-281-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3564-231-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3564-226-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3564-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3564-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3764-108-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3764-116-0x00000000008B0000-0x0000000000910000-memory.dmp

Filesize
384KB

Download
memory/3764-172-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3960-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3960-186-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3960-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4144-158-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4144-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4144-489-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4144-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4144-490-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4168-37-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4168-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4168-47-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4168-44-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4168-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4412-421-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4412-243-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/4412-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4460-206-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4460-212-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4460-273-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4660-135-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4768-495-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4768-255-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4768-247-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4924-269-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4924-86-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4924-83-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4924-77-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4924-76-0x00000000016E0000-0x0000000001740000-memory.dmp

Filesize
384KB

Download
memory/4924-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4924-260-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5092-91-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5092-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5092-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/5092-26-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5184-295-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5184-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download