b0e7f499ab41e56353ceb93ed066eceda0210b5f8bcee765faa6960164f96b01

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
Size

24.3MB
MD5

3b37f69e555eb087b27b8da970011cb3
SHA1

e7af913f1c8aae8dc0222339af94cb36273ed760
SHA256

b0e7f499ab41e56353ceb93ed066eceda0210b5f8bcee765faa6960164f96b01
SHA512

3d7b27cb3d0cba4bd67d31643b6db456eea3644f0d5f3fbabe469be674089226dac0c6cf2e01a4e56fe308ef241cc73bf585971148263db486cdfc18d218d878
SSDEEP

196608:CP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018F8d:CPboGX8a/jWWu3cI2D/cWcls12q

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
384	alg.exe
4468	DiagnosticsHub.StandardCollector.Service.exe
4852	fxssvc.exe
3528	elevation_service.exe
2768	elevation_service.exe
1384	maintenanceservice.exe
3872	msdtc.exe
4628	OSE.EXE
2540	PerceptionSimulationService.exe
1432	perfhost.exe
4856	locator.exe
400	SensorDataService.exe
4028	snmptrap.exe
5068	spectrum.exe
4972	ssh-agent.exe
3384	TieringEngineService.exe
2264	AgentService.exe
4528	vds.exe
4640	vssvc.exe
1456	wbengine.exe
4948	WmiApSrv.exe
4740	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9bd9be87c43e60d1.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_72093\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000569455573a93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000098242573a93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3b270563a93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006310d0563a93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5c845563a93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d6d4e573a93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c887c6563a93da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4852	fxssvc.exe
Token: SeRestorePrivilege	3384	TieringEngineService.exe
Token: SeManageVolumePrivilege	3384	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2264	AgentService.exe
Token: SeBackupPrivilege	4640	vssvc.exe
Token: SeRestorePrivilege	4640	vssvc.exe
Token: SeAuditPrivilege	4640	vssvc.exe
Token: SeBackupPrivilege	1456	wbengine.exe
Token: SeRestorePrivilege	1456	wbengine.exe
Token: SeSecurityPrivilege	1456	wbengine.exe
Token: 33	4740	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4740	SearchIndexer.exe
Token: SeDebugPrivilege	2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2684	2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	384	alg.exe
Token: SeDebugPrivilege	384	alg.exe
Token: SeDebugPrivilege	384	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 5620	4740	SearchIndexer.exe	120
PID 4740 wrote to memory of 5620	4740	SearchIndexer.exe	120
PID 4740 wrote to memory of 5656	4740	SearchIndexer.exe	121
PID 4740 wrote to memory of 5656	4740	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-20_3b37f69e555eb087b27b8da970011cb3_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3512

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3872

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:400

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4028

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3676

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2cbf6c333c402afa2f0056db317b508d

SHA1
00f0cd8e920c47dc6e829527190c74ee40b766e9

SHA256
c6b0eec4d96d90b9a46a78fa6879797a06605015c6b10db63969f44a2512d481

SHA512
acba29f11f8313400cd19a079ef8f828f6a182dbce0630056b492352a68837005610f64dfc04c89a627e183bde7fabde1eec2d3e10054084309a3da539ecfd62

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e610deec9242d34d793baea18b0363a4

SHA1
4895dc128bfe519b69abf23be5c0e757cf26adc5

SHA256
6078cdf9f3f1e50f7713a8fe154c82416b7ac7409c1e7f24b4d1d0af1bd3aff1

SHA512
a6267ebaec7f9134c3a622b08a6f9de2a4d82aec356f290f688c8aedaa9cc373c35c71a9ed7632b9fd1bc8b2794178b68189b16f5078428fbb2c7c2be4ab4ef3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2cecb98c37723661555c0d62fa473d60

SHA1
11d938c7d3b6383b8b19a59d068707684f2f8b07

SHA256
5636a7625811927f5ed4b1a3627fc87762e47474bd1f075a82ad2b31925234c3

SHA512
2cb7ce242a1fdf39f3860036f1a1caf2e68a42f07782f767fdc76910813822debe32130ac68fb87d975dfdc22f25cdcce27ad5a429b4fe73093f87cf40eb6c7b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
41a672fab9df59d637def8396cceda94

SHA1
6709b2d983d7bfb4ffe30e4ede8e2e8ee778d1f3

SHA256
1885d3c02ac2c953c0142e78d0b12aab3d9d01569277ed35f3571516c5fa9327

SHA512
1edbef67c9ae34e3f31411b56f33384c55bd94be3844f418f01dcc0e7caadf523f29f903593b67433b3acf2f9d907c70d3b32155b81970493d65bb8f0fb30b79

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a107220814608e77967f452f206b971c

SHA1
2a6541294a8021951a095f3c3d0d630a81c2f9b7

SHA256
4daafce77324cf4c7198521a45abe1d2318ca8661b82d17c1c1983d21cce7376

SHA512
0902de0f26c8454b7eac43f7a62f848a6830176921c72a41728d32f14aeb9344c4690b7782a6b6e3b34272b38d82975e4eaacb9801305e28d9772aa0ae89ce4b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b4f17c5cf393b283b86f538a27465e5e

SHA1
4ed124c61c9ede90eb1232a3da44e16c9e8ffdbe

SHA256
c40931b6046dc9206e04f2b42c73b0074917253e606d25414bd750cb973f7e6f

SHA512
170abe206c6fa8b083d39dc2425a0bafc8ee5b6e28fb83915def34ce05874d85f28cc8e8e3b071427727e1aed089e86a7c7aba962c82b50f92c62b17799bbcad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f591ebaef75776aa9ee794227d00d278

SHA1
8fdd9a06607e168d9ce8920111e308da066f26b9

SHA256
731282dfcd8644d6a37be76eb06b9050603ae45b4058d16ced0896eeac19b30c

SHA512
10b7f3bb13ab5eb4c171626f2ada1409d9210ccd02176c903042a3a8999217c7ba3899f4eba1f4343004edc62935f54035ef52684e8a384f87de5c91db5ae750

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f311969d2c907db8cc3fd9a01d097b15

SHA1
bdc019b8ec9e0da3b92b903da48c725621fb26d2

SHA256
1ce7bd5d54e5877adb0322ca77e4cf225e50d73ab32f793cb1738abe8268e021

SHA512
b951f119b91a7816bafecad98e9ac2b7fb9f6e4eccf392801054263d492292342fee5645165859cb7a29c4a2f0c079b35ec22fbcb8e3e1455b1329c93949d276

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ab04c68cefa3231439de88bd9b687a9c

SHA1
828105a4db6929c0414931bc9f5d47e3a3c9f902

SHA256
c49207fb4b9110d9e3161759b1ec0963167b546c3873b403fdd288b7243b447c

SHA512
a3ab6836d3a12fcc0b7ede1178d3b4524614d360861f27ee78b1efb09aa821235583ae032c79885d9ff611a62bcd58a1a3c0d849920a9bf916b37a13b427d09b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a5f1420756543c0cbad64f20a6bfd5ad

SHA1
073be6be1e66dba941b7d2071952d93f8052480d

SHA256
f2d3fe71059e4a73b62e70e00d4fcbc6dd06a5cfa0fbcf878994c14caa055467

SHA512
f9486c16759d3da5e34b775dfef57a715f8b15029adcac80cf9d15a8ff507b372bb9037b63e1493e2e1be03ced409acb40736b6aff14008449b156bf85289578

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d6249910da7dac127f0c85b6a930372b

SHA1
29cfe612927938adf955036fe88bb9b2542232ea

SHA256
3e5f9c8cf0733ed7aef74f991a39aff40de577e56bb3709beee1da17237afe16

SHA512
09b2fceb246724ddfbd4e6706476dcaf8ae2f1f7c486dcd4f29405e340bee131835227616932b584719e0f206042bb06f702921cc30abc2d19f8edd9ff062e54

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
aad5471a54e68e179b6020ad924bbb4a

SHA1
fb1c947c45fb9c7bf91d6b32bbca0609a198308b

SHA256
9ded6a4c6784c6bae01c6a994049a2d41532f910377f1f4c007ff3456224b38e

SHA512
59addcb9e3756546327050acf30c980db1836fa44d0893020d9331dd4bf69e081ebed4e25aa6226f1c8784bd9e7a6126f74451567ec80b34952ecd9e96732fb6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
56a78bfc6653607802ba62ca05ff3219

SHA1
2485fa530b7dc0a29325a2fa3ee0eae1d9d7e8ab

SHA256
85a5aba493b12d4d0b3d82bc8d08a743407fd4407aaad477f47b3b6bd626d3d5

SHA512
3cfebeca5bad30ebb41217c6d446dbac512e62eee28fecff96bae0e9357bce858e3a72f2086ca74ae09eecf7761b1b38e00901f41438116d33a307df08ab714e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
88619cce8d2b19c0c7281b8fd205e3c6

SHA1
db214245bae5cea3d7ec770ea7216cb1852ac699

SHA256
8e606ad2741d019a3380243efbc29ddcc98feb8163b4f46ca4eaef383af10c4a

SHA512
7c557dc3ff6d7fbc13548158c4e636ba5764638d02f801bafe1382ad8164abb78eecfb85349746e92c16e7869018a9887a99cfa422b024fa7fb859c93e768942

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8f304cd85cd7f8cf639919a454d6025b

SHA1
590b8763b6d8d148e4ff75173cd9f856469afc1d

SHA256
4a50eb544af60a46db6fa18ab92374a24c74264c4328cfb30431618542aeb6f7

SHA512
cc186680b6cc228abb9dcf63559ef269dc5d879840f7a7c8a29f68f188971a82180af56ba71dfb9b2c287b85ecf30c7e6f54ce010f28e3f570de0b0c568c4409

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c3cbc31bf19c6c64fb14b0d9c9bd8a60

SHA1
2c2e34725e0eca31a210d441c5a8fd5548534836

SHA256
4610bf71d3cc6bef94a7f5ddbb59db9f3b39795fbcd0a664a01e81450084809d

SHA512
83b9474b36ccc2ce4fe0809bdb7110c358c565968dc3a6948f0e11128be68f75692432242ea6f194aef444fc1adbb4083a59392e189c6d6f0d2a2145271cc899

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
edbf3264709d838e58b277814dbc3167

SHA1
8ccb437401f7ea5ac5ba1416ec4127888b3af136

SHA256
8b1b2e3e0a69235d5f4d768369af60b2e074c0b05ccf99939283a3c85b3ea2ef

SHA512
cf051913c84ac9f94e5ada277a2a1778394c28e821807ab5efa08dba6062c68d8966c20b3e4b695e6fdd20b9c59c2676ef32800e4e06cc46590b8f0b830f5e8c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
aa29f03c938d6a493a495711d8116c24

SHA1
a4661c6980ca6766bcfe64f0d8a1aadbc7757595

SHA256
27be138d9aca4a5b64b07c7dfacda212579c4f850b668e3ffdb8a4a196823915

SHA512
c5e158c84b77a82488189d185b378754c9b6aadd32cd0d12ebf9cea80701ceb786fc04c6807d52d1ddf45ee1eb91861ef78280cfedd17f1cc6df917a5105c508

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3afd850f397a84c5479733046ac64883

SHA1
fd645eda97b180a4e4ff36a1d1a3187924ec0151

SHA256
81515f835ce932bd5ea5b3e04a3bf7c74b6323b12199ffb5e700f2ea5287d412

SHA512
b64f788f6d22cbfa75bd19ab6b7ed5972d66be72a085515356075e54e51cc6cee6276f105cdd58472b6d0132fe0369dcdf1027330a64fa8c0798ec203d49f3de

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b314dbd4ab0cadbc79ba6e1176b5ec9e

SHA1
919ad4ec5c4078b410d2cd1099f9b6e162483792

SHA256
9151e03a99fe870bf097eb6aa855509c47cc2e17759dc8e1665de735eb403e0b

SHA512
1cb14989194317b4253c83755088e68045333b7f44dfdfd6880fb4fd8d58fa5c40aa4418ee1a91da96b5a9f788cc99d93f1d6899d18041beb92e7d73e7f98a5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
468f3f6b56efd191a6764ef66c4ec2a5

SHA1
75e18672c64508b3b74a252bbd54b0bbf64f305c

SHA256
21cee8cb7540cbaebb5574fb4fdfc0a398247adb9953fca3e8a62d2d64942a9a

SHA512
734123574b5333e4e603d8a0a3188945ce1c5f15770f0943f3c0041937b8c2c8e7ec47829e3a3d50d49a5efcfe0ad26ce33f50fc6c86fffc1327438eaad582bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2320eeb37dd3c721aa230381ae02019e

SHA1
23747dfbc4e381dc2f31e92e14595c275cdf7dd8

SHA256
65253a08369fdc6c04be309b8371a4b276a9d15750faaf6500e8cbb764c8d228

SHA512
49977d65a892859f511b6bc154927dbb15bcba5c90c140472775a561e40ddda705b35b5a2d34efb5959e4436796333351f3930ac61e3e0f5a424322586801a57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
792b30b538a0cea1addfbf1db46da5d1

SHA1
3625bfc0a03bb0385114447f23ad6d8eb407de03

SHA256
94efb109609577cd7d152208c3c3d8781a6d3dd37039ee2ba3009c387f571c12

SHA512
2170e045e02ac7c2d4918c0dcb92786acb93e8bbf85ccd3b12d2e18fbc399a90f9201557ecefbc8cd744acf3fb146e48327569ab851f240dae88b11345eee69b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ea9a0c4e1e5ba02d4874cf101d5e1347

SHA1
1f968b1b13933ec6f21882c180de3b79586a3f86

SHA256
816a6a4798b61d5469adce0abef51b756133e704da54c62537aacd566b5087e4

SHA512
9e99d3d4d72a8ffd99dd2d099622e234448b21dfc060f17263ccad38f4db405e0f8392bd4cb0058cf476c8f4ed52b41ea44ec77b4652d2e40415a8428ebe6c70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f9627b88cf72e14f83890ae729c5cecd

SHA1
e9f5737da40f7175dbe5567e768e9d4cc28c8668

SHA256
a3c1ab0b8d8b0b9d1f5e6d21fd3b8f85a77893a52b4c5445965f5e819b96b300

SHA512
75ae0d41e07f9ad5e6073b6c252687a2512f159c4f65067559320585cec06302e9ce4f606b3e8d32fb47e3ff9224f65d3f6f26394ec03064582b609371003409

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f6508dec2a6f890f2a3950f40453e189

SHA1
7755246345f1df2416172711586be233204f27b3

SHA256
3487aabde093b0c1240e3239d4571d94dc3187944d5bbcf0d705fb38725d0e48

SHA512
d077e99591ea1ff9a062a9315a637107e166452d2aa5305e22ca875075fe5b36d9eeb3a1ee6f344accc344e77eb1dfd2d1ce4c371a31e3f713e9726faa6e3293

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f97e86b7440eed7ce2daf2bb48a61694

SHA1
0a66d1fca37299865ea6896d28e0613f16503b7b

SHA256
13301aaab82e745e3dbfa9cdf102e5cf81255ac654e62266b7355b9c30d57beb

SHA512
024d7d6b0edc5831b7cbcef7a3d8d763ce043795f436ca61b9494c1a005a1b288889c713375ca49c7a3aeae03a8b5532b088fafdae77d7e164cac58985a37081

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
005107e6caa0fa9478b17e4b3816ad8d

SHA1
4a557781b9cbb2f560754c10dac8433ebc69c602

SHA256
48e06d3a69c9bc28c6f4dff874a75fad56cf716a1062f93dc16e0fa7ccaf09a8

SHA512
21aabdf8a52814127317e5d3bf6f89e0f2e4479560fb5c18f0f03a2536c005452cca570f9358123e2f43e4314b4472ea019be1cfae210199b73f31ddf51c73fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b4c6f41637c373c90af6b3b9f92eaaea

SHA1
cf52970a1c0319425fa2f35ebdec4adc52958cae

SHA256
3fce950a073efefaa340223e8239dcea1f06ee48a5500026fda89e2c5860569e

SHA512
3c23e003e5d4c23cebc1d8bb5973a5446c966c8474ffa7d4992c61d2d351e2f17f4984ea11572e017f6d3f9fe18fdfc8065868fe23a0667f5967635784731390

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
af9cb8ff7f2566f975b9114b38b1d496

SHA1
b95bc9563301c282f30ce1c332787224eecdbc5d

SHA256
991da7e2b7a63b3c0990e21dcba11137a6941b207f17fe720a00c77b5c2ce34c

SHA512
e186819e89ba27925af3105fd88fe9ceef71300fed520d37b1a1b294ac8a24da698770c362c1d590b4e6d3cbf6e1f1ea92b0904ec64a93808c7de158936734d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a64e0545b069016defd39c628d9f6030

SHA1
1592eae0d1b3ed6ac7a795191d664cee158b9394

SHA256
1cadcb3ba9a4831234cbf214a7bbda5c38f2e59049b459b6fe0470151461734f

SHA512
77bf5d656d105050bd2cd2545fda2b1729128b00b75cf45282b92a0c5f7b1b4d08896226255797e0ef9c660d0d8e71d9b2da70510e32338418896fb06c9fcb90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
df050184433b1ba4a5f6a37c03a286ec

SHA1
89ce1e932fd00dd084e600884cbefe54c27cecf0

SHA256
41143b18118972c3aeeb6d72eb1046b5a08ad9458c0d656a203c0234705725ee

SHA512
0bf568618449020c590a49cddc18c115776d9ce3a697b228b64d1a01771b88101d2f80fa20cb44cf5ece3686f5ed9edb444c70d55046461e636d4c9be2d81f12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c43a4a10eb2e0c90873ae40307c634e4

SHA1
16816588a38dbd04dd0c01b9fe4fa0af72f941d8

SHA256
86b2f2b77efc429309cfd3e0642e573f673194c0634fde23bf0cd6a5594f8f0b

SHA512
fec13200e67d9d535742e8df8983f165480ee6dcbf4fcbe5822c71c5630227ace547f2abcd9b839b008715dbc984062ba0f61c58d545bdbc3c65b8523daed6c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
dc05a1787945c3936899438a27232f22

SHA1
23e9b75e3a843e5d293524f42f504db97e157719

SHA256
5359ebf3a4bce1e5d22e5b0d989f01c8eec294bccaf6cc4a1013399b48cce50d

SHA512
74363cfc5ac543d7d3c1d7b4121deeba71a86421065533c4ccf7f5acffd4ab1fd06d6a9386ed9cbffa0b1ba9c6380a01752facf077ca5f648dc2db28cbc4fc81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
82ab9e08b5b10d8f0190864f1eda74ea

SHA1
e6274f670aea90fe4ff0b682951fdbb51e17609a

SHA256
ffefaa10c486fb3ab7e192b47c20c2a26bf22627ae1006367086e3f06559ca51

SHA512
2b60e245c85f412ec80e87583c2fa0237a67bb0cfb4b8a76631cca81c1c56e59d8bdbe8e23be3287faa03792be0520bc4e87929a4156ad8dbc94e751e3361e2a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0e961e47f8c08a6309934c4ff1b06866

SHA1
6af45eeeec5835f11ebc13e38977aa20ae7d9892

SHA256
718dc7a7de9a1685a3fccc7fead0c3bd76f1768a41ef87b615788d5301323ebc

SHA512
4728f6039164ca3e1ba2126a619ba4280cd7a73359769eb8f782b06991cd256ef9a66eea7ad916159bf244138f664ffa2dfdc4a16c8493eb4f711a3db9f3cca3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
38b80b7348d16311dee92c4f700f78e5

SHA1
a8d8c0ed88402b783fca23305503abb9d8c19caf

SHA256
ac52286488b2618f54e0ebbe1496af01f9e65644198698241d9873e05ae7c036

SHA512
da1575b076550b12cccce1441230327f5befeca57d1f50bd40445d340dd157fdd3feae9612b72287bff7185dfe0222bca426402b69ecd35e679a7d5b8e74e0e9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4d509b65ea4f4b9bc00f97cb5cad962b

SHA1
9752d396b92db3f5565a72b36698444abb2bc9a2

SHA256
fe6717c9b8f74d54944bf7e555f8622ef07e4c16d3039b4c33297eedcf481049

SHA512
4102063816d61caa025bed2e7047511806a1ec5faa90dbf8d04c8ed877983e3e1c37c91ce36e324c16c09aec8b57e110a1ba37d5111b3c71c697b33ff408c36f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
041297fe6beb0506045cbb82c76d6afa

SHA1
49d92f879dc97a0ef886b136f31053ef5aa094d2

SHA256
6530dcf1b82f3f81a940736515a94a34462bceeafc5faf780e72763893117d15

SHA512
80d190f0f9de5b99d1c71124fa86d8710d41a1d35537b84670526ddfd8945375329b2c2a9953e565cd5f5e0ad186c09bdd2c234d783aa822468f4ba2ce4122b7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2bfc417b6aa274f9070da2b442243b69

SHA1
50d68b15de717d07067ee1c2a16df509b07c8326

SHA256
cb5c83bfe701a0b28b1b4b18f35430c53aa652b62953de0a688db10dc0c395ad

SHA512
8a0307075f240b471b7549d38913d26fb03f805cdbbe45d73398414877b15b38a240ca5272a4d1ef49f49107b1dfadaea600d916c5ab576286be138083af0bbc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cc4bdf86369e1548dd41ab3c4e21e5e8

SHA1
acc2afaac7f3807a521eb077c338c3b194e3155a

SHA256
f108f39039cf140a4771d6fa6200df7a545a7059e5fff4487b3d1e6d77fdfb82

SHA512
1918476abc7c107876927152b90a2c389a8e49ed51aee4bb6a9c6dcc6c2463c44963d4624bbc6f3c55eca6b39d7f993c06a1f649c84a89b4313c591e7e4c0418

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
115df897f9427c2eb5293ac9a3b4f0da

SHA1
6f09e4da8291d232fccdb8ada66b012a82bef671

SHA256
9c42bf22f9ff5366ccf44f36110d2267c29217281e039e1efdc903e5f50e6014

SHA512
da86c4606d3cb0d3c023bdd8a2ce75fcf0adc4862822d43c5ceeca33742eb455a360df2f0b64875c1f3688a0d223f41e08c730df6acce6986877345127063f79

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7070faf27d37c8a83fc145983435acc4

SHA1
fa9d09b52135911cc28ac5ce9c32a300e58a85cf

SHA256
0da59d2b746833aceda69fe6b0f83f1e0780eaf71c0a5b0a566fbe859dfabbcc

SHA512
ff39cd11f81e527712dd70cd0d3b0b276f79c06cdf6cd064719f6d99b86f174a1e9c3617e104ab17a6d91d8abdd13d400e05c30a6556fd2c84a2c59831337569

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
415d419e1898d3ff7a70588e67f6c519

SHA1
182d7073016442aba1964202904c4cb574db9672

SHA256
f27e57983411b33fa87be79677c2dc4a263636fb55239ec84dc4221e52ade160

SHA512
2cf81644f1e41f3915c4027d55c22d27c22f8174d1f802603c01e6d885ec580047b9363746b5207f1012521d0198267f262f993a06b7357e425db2a3e1a4fcce

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5f44b5651e05aa1b3ed14afe82a5123d

SHA1
6b878fc737885406a24be94863a5f7d0f63bdfea

SHA256
32531cf4df8aaffeb1964d6215eab2435ddbab495941a381679f96a68c4ef55b

SHA512
a947c1cdc385abed42f5c0c9c41c7f843be1a206c27576bd45199a44b70da99fac96d569d7d72f82f31aaea87d1446e0feb89cbdee8ce47ad8ca1211010764e8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
38138de33d47002f130ede29b0ca5cc3

SHA1
06f5590b007cb3ba23ccf59567a5d0964033b940

SHA256
a0ba8242ab82d6274c7f336b280b27dd68ad5cbbe3c02a704c4350948b95f776

SHA512
ab015a6040ccb6fe5619054bce7235b1da63876604f28b3d7e4ef97520b40ace291a3ff0325670d602b1a8ad90da2f1bb0197506c843f516b07fd227ee586258

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
48bcb307423064e693f8c58c89c30e77

SHA1
254f468ef6838fd80f5444ceb9b75be0c1a8d3dc

SHA256
945f507f76492c9cbb67479957eb44070f0ea28cce22d5a4e1c164b6679ef04d

SHA512
9cc1aebf9d8e46ae47d669b6415758d1616a66e7a0f051790240ba5c06637cde929cdcd24a65347b9abe95e4adc10a95823aa5282648c69aa7f76b0d7009284c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
bd3b833bbb3e974767b9fe47f45aa8cf

SHA1
2325c7b5b8c902830b9efc28629d76ae4baffe56

SHA256
a8f504f84171cfdbb46f7541c20a5767a2e32fb862372729758463523b9401b4

SHA512
cf7181245ff949794946db571ea683cb7efe9e43c6501c04ca9f84d9268806876919aa21387e114305b80e738b5fc3294e86b29497005dee0c2cedc951c11707

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
61380725bec24e7e9d3c09eeb9bdc46d

SHA1
e36704f96dcf8c05378c1becbb177aeb215c11c4

SHA256
6da1bb83dd94871950f8895d26cc0507513beca1f48a3b52837e42275ccb5984

SHA512
d904f8125e17a3abc26158582c0ed1df9dbe014ee9d26e982d5d3d8ee917fec3e26111b74fee470f5164201661999730ca9aa511988699a65b08538e56e16ce3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cc9ca67a3631e732c21102c290218adb

SHA1
5b11c3c6fd45eae252bb644075f7a8257a8541e2

SHA256
8655b0c7a7f9fbdce750b9f6f346ce45393ecdb9a076c349c7ec16f5f2d74ad7

SHA512
822ddc288a0c2f7573f97e3daa688587774764536cf4925fc6a12185c846ae58e849130d6e384c2ce8217c259c9254a9f740461135a5e69eceb561d4c1f5e42b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cd8739a8dcb7667f35a8fb86920fc7d1

SHA1
347363daa08e227c2188c5250cc042a5e7ac8162

SHA256
f26b7ef80598a1205f8e38fb936f038a36a2f1b06eeaa791c93e3d74ac30697b

SHA512
da775c54d7a8c08de9da492f209f6dc8f4da875be357b129153edbe3b090a8fc5152f0176597f6bc3d080e5824182ad7c9327d4787079309c3ec754ae341e690

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7ddf09b99d578acb0bb65555b25ebdb7

SHA1
e763a3f8c6f27760c9f0f9695aae3f323534c6f5

SHA256
9f129866263ac56d719d51f84b219d7c3124388e2cc32be1c651e1c76a292fc9

SHA512
d0da7af6703cd9ddf28ee4f38784e1c4cf20eada245cb043520cea4e2efb2c725d3451500abacef4fcda5b6baf61599e38bb8ef1bbe1db985f7542c21ab68b8d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
161ef9e707535525dd8fd9c65a4ca58e

SHA1
981d2922f763744de2fc66b3e27aae6a5d99b30c

SHA256
3772004fa7fc4fc3ffc4ba803e347b45c5715a1be1a00074d03d3cf924382b06

SHA512
986ecc7a3662633d7fbf1bebea26fe16bdf088ce8c1dc2cb4cf8c3ae47cab7e5c360fc3c610eff4a04dea7dd128187a091bd82e156247400df8bf121130535cc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
625298189f9af125146e599f9f472bd2

SHA1
1f502a5c728bd2530dc8572c7340220243608515

SHA256
9f7376dcd05a0dfb3390c2338c88ad469f04c8a85e57997c8148fdb8beaf8dd1

SHA512
e2f9f63393a9bcd3c5c9a41d6fe083add7563fe936e0e0264f416f8c5a22049d4ab970ed7d2b5cf4616980764feed3f6ae7f3dc2f0282a15048516223575de00

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
29722f9002c432410aabf5d4fab9c178

SHA1
b5f19a37972cbb904c0581b0c9afdd2f202897a7

SHA256
27fa65b046bc44716ad508a9f21449adfd79c002fbf3aac93d3ea99f01d2ac5a

SHA512
4738bd30130f1f4bbc62f1042fbdb1e4c725a8b3b9b3af9070eb7defbd1f32826b18492c6372a9e90cde63730531cd9c939b3c7bf7029547a0d1825c3a07c8f6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e17e790790949a1e839da5ff99390ae1

SHA1
3a21352bd84f857e16d7b6c7b7b78500f0c68e86

SHA256
5e97f914edcbed257b3237a81d65edd0ff0dced84eaf7040c23c2dfab51e35d4

SHA512
9c8199bc7ec9e47d0ccaf3e1b43a72e11dbdf8b5539dabeee510fa7b6bdff2964c6be07cf75230654211dd89da1836d12b60526190e89fb1c728ce210493e00c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
44612bde078309381e0d221e8d0aa482

SHA1
152f812a5ee76bbb620d6c570a9c81f37c59dc06

SHA256
48e82e845a3a2d7e6f56b2839d88632e95812632faa220b538c004414b2d8666

SHA512
872465e6d542ec26fb44f1a8d99d1830b1ff9bc863e0d228b716ee8d2b0b69554c42b4cd8545150905d8c0ad2e9ce5ae67c8a5d0a1567a8b3094d741c15bd9f5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
761fe21e58ccabde31949b51cbce96d1

SHA1
24b0632ae27312acb6e043c36ef85385430da6c9

SHA256
89e0fc643dadff7acd3b1a7b4a23a4f0dc3bc2607665333d1b6bc2ddc2b01410

SHA512
c850bc3ec6e2a9b9c62d6173f0ae29e0287125036163cf31c417fcc650e77dbb4cadff22791a291de07444a2e10e1655d589fc4e34eb942ccd44f79fe9aae0bc

Download Submit
memory/384-12-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/384-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/384-20-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/384-77-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/400-170-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/400-162-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/400-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1384-89-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1384-78-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1384-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1384-86-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1384-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1432-209-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/1432-201-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1432-143-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/1432-138-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1456-275-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1456-281-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2264-238-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2264-243-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2264-242-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2264-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2540-187-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2540-125-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2540-133-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/2684-0-0x0000000003D70000-0x0000000003DD7000-memory.dmp

Filesize
412KB

Download
memory/2684-68-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2684-7-0x0000000003D70000-0x0000000003DD7000-memory.dmp

Filesize
412KB

Download
memory/2684-3-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2768-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2768-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2768-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2768-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2768-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3384-218-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3384-225-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3384-284-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3528-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3528-60-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3528-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3528-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3872-160-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3872-104-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3872-96-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3872-95-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4028-245-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4028-177-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4028-184-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4468-94-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4468-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4468-28-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4468-33-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4528-255-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/4528-248-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4628-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4628-120-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/4628-175-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4640-259-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4640-267-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4740-298-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4852-45-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/4852-53-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/4852-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4852-38-0x0000000000A40000-0x0000000000AA0000-memory.dmp

Filesize
384KB

Download
memory/4852-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4856-157-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4856-148-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4856-216-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4948-286-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4948-294-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/4972-204-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4972-272-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4972-211-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/5068-258-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5068-197-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/5068-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download