e91d3008f2603a52f29dd39fe679bc7122c971d7c1d0d1960776f1996b239d70

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
Size

24.3MB
MD5

0932cda29cd2475761e2171a3176c149
SHA1

62b1cfff9420d81f690c764ecde2ec22f0216d7e
SHA256

e91d3008f2603a52f29dd39fe679bc7122c971d7c1d0d1960776f1996b239d70
SHA512

a4aaf12dc8663494e59865133bb6e2616067127201f76a35df3960e40cee706eccab4cc2d275c45a233e47d1e1c1e63f5e2a1c50da93ed953750be13c4ceb588
SSDEEP

196608:qP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018E:qPboGX8a/jWWu3cI2D/cWcls1F

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4868	alg.exe
1372	DiagnosticsHub.StandardCollector.Service.exe
3388	fxssvc.exe
1944	elevation_service.exe
3204	elevation_service.exe
632	maintenanceservice.exe
1136	msdtc.exe
2580	OSE.EXE
4464	PerceptionSimulationService.exe
3312	perfhost.exe
4896	locator.exe
2108	SensorDataService.exe
4184	snmptrap.exe
3476	spectrum.exe
3212	ssh-agent.exe
3304	TieringEngineService.exe
4456	AgentService.exe
4044	vds.exe
380	vssvc.exe
860	wbengine.exe
4416	WmiApSrv.exe
876	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

alg.exe2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8038d59e7489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e91113956199da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fd817956199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b41c59946199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ef5d8956199da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bd193956199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c24106966199da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe

pid	process
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

652
652

pid	process
652
652

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3388	fxssvc.exe
Token: SeRestorePrivilege	3304	TieringEngineService.exe
Token: SeManageVolumePrivilege	3304	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4456	AgentService.exe
Token: SeBackupPrivilege	380	vssvc.exe
Token: SeRestorePrivilege	380	vssvc.exe
Token: SeAuditPrivilege	380	vssvc.exe
Token: SeBackupPrivilege	860	wbengine.exe
Token: SeRestorePrivilege	860	wbengine.exe
Token: SeSecurityPrivilege	860	wbengine.exe
Token: 33	876	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	876	SearchIndexer.exe
Token: SeDebugPrivilege	2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2824	2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4868	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 876 wrote to memory of 3776	876	SearchIndexer.exe	SearchProtocolHost.exe
PID 876 wrote to memory of 3776	876	SearchIndexer.exe	SearchProtocolHost.exe
PID 876 wrote to memory of 4380	876	SearchIndexer.exe	SearchFilterHost.exe
PID 876 wrote to memory of 4380	876	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_0932cda29cd2475761e2171a3176c149_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3724

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:632

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1136

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4892

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3776

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9c3a87b71b1b8e10c1181833b3d8c195

SHA1
3389e7d2248cd1cda45506d298a7ca4a6ff0d5a2

SHA256
5dca6474d5162a0d3bcae940ea3fb67dec4ce51a9c7428b5eb1e1d3fc49550a4

SHA512
24d504525bf553a8e2ff233aa41ca868b45e6a4b6894b75258a9b22a69a0f6c4ed0d5197fc6e14b00da430318c61e8d5665342572347ffdfb893253754289174

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
37bd33257f0b0a441ef2b14b381f2a0d

SHA1
333edc3bce1cd33c2ca9a3c84f8a7af8f2daf82b

SHA256
7b318b0d23bcabec39de49e98c655bf40014441a32cc70e8a1dcb10876630959

SHA512
684464f8ea294a8f55df7f297ffcdb3f1371928532bdb1f9c67e1f63b80a03d2ab503bc7b223779d9572524c38c7de8b940711b7471c4dc5bd8cb8675fdbd6b9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
4c19444b91db0faf7b21cd4344939533

SHA1
6c93c58673cbaf3e98abac8f7f8be355f8ef11f4

SHA256
c7ec0b34933a1e89257e893f0a11be5138ea1c75a2ff296cd0eb5a6a4ec2236f

SHA512
0dab30987b44bf0c64936101cecf7aed0324f564b77bbb69959a7ad4b130b314ac72a7201c8af011db9890f8f73b91c66aec974045470fb6d2bfa2b796224bf3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5ba323a1e4dbc352df43ff4e9fb89cb1

SHA1
48c8d18dce4384cfc64f993b25a113d2c2895caa

SHA256
ac36712f5dae9c725209a75eb4db35ee2ad03f63f3de2e3be4a1343bcfbff68e

SHA512
06b95642cb96872451da50a35b38348f7faf45fda289fc75daa51557ef6f4d27ad4204a9b623a0ba9fddf80cb2091145adea648e713cdbe957cf3de033b6ca1a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
37f70077bf8a0df9f45cba6ed1563336

SHA1
2e27ce8f3012f74c6ff42435b5c66ba4223189e6

SHA256
7c895746227ae5c5d524fa7f808032d4c65e5b68ceb044a7e261475965cd947c

SHA512
70b6ce40b99383ecfe4b7324a1b7644cfc21d523c3885214cab171aa03d608e359644a12002e62a4f63d427a0966dc5b4c7988f723211541bc2b47614112931f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2b21ee776e615e08cbbdbdd890a998d3

SHA1
22b729da1b44bf8574c111ba4c87f6ec705dac5f

SHA256
181921c14768f22ebc5b48c2d784cdbea6a6808fc645a90ee3d20c2534cc5e0c

SHA512
a84095b92e909d7fc12b77229adda56efee382be5ed6470358788ee5f9f29fda441da9bf5a9f6a0543b63ede798dccb1d6d5af419b83dbbfb6975bb886dc5e5e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
dbabcf27630023b229fcb1452d75ffaf

SHA1
daaa98aad47cb23d85a060364f3052a2503035b3

SHA256
0626b86442d5d54804d1afcac6627bedaa29981c5cc82bd48fb301f615ddde65

SHA512
4c03d3f694ab718bf34c01d90fc9df0cd6130f648239727ce92ef9974fcdd1475f2e88f7799480b59176cab48c561fff03cf10881533a789afca337a2ec48ec1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
fcb7b81de3d4fd4516fd8ac412648b85

SHA1
e6569959e1de1d387b410e2807d65203cf9d55d8

SHA256
21750fbd2a986702e44c66ed8f33d63ba9f52f18fbc7856c4f89bb8b07621531

SHA512
2227a7206416ae441def7e1b1a376ee90f18c0c5bcf0b5f62acb5dbb6c0acdd863f5e5ab4acb5df22eb230ae61be4157805bd297247f72bbe2b6d4179e7b8918

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
963134828c06e4566a535ebe91f316d1

SHA1
bd7aab5ccbe7773d72ae585e94c568ed9d66aa88

SHA256
ed12151de7e30cb2ed11b1ef52f8fabc8eafeab9b2c6a22616f22a5f1ccd0b75

SHA512
19542a89788569dc74aa2a6e6edce2cdb69ab02719e46148290b655815b7e34f2f661201234e18709831fd83893b469ad562d99fe7cb3199e7990a6331630ecc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2625b474ce257c65e62c388c10b5fbe8

SHA1
d76c01a5cb3135f66b937a15ad9fe2b73b216cfc

SHA256
29a6213e7cd6f60ad8fdc77d83a528c5158655a4f697c88b957a59df7b449f52

SHA512
1781cbc22ec3867f1d3c62bbad811fa375d4db7c1bfe574631cbe22a89680d91c97b73b89076ef0a9dd7541426ab54542a728c190de2eba2acdeb9b6c4eb4099

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
82d89f985eb95810cfc2a0e1920ec34e

SHA1
2199a70c56aaa646325e9a063c426830f01850cb

SHA256
ca213692a309816d301272bb1d7c5b1f951319add3d32865d5a3522afa3f017b

SHA512
da104117d5e64252f8be8b0ba45e48da2c61b09a3275e2394ee3c2043e0cf2cd6e3537465970d42ce0b2c8d71658e9803e55e90af4fc34bda6b4b0e8de800bdd

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4f2d9584cbdf5cefb61f4fbd70584694

SHA1
a46bb72c022a98989958aecd066a1e8b10f02f2e

SHA256
3ed260f38631629d4e911fcf9bf9882270dcf53794e5f84da4d411062143a8f1

SHA512
f3b0b61c7df72c99ac5faf3cbabc0815ed94f541d900fd54ad516cdb78f1e5516cad5e7f3274ca30201275d9eed9d3fad05881acf94352b2536be17d37060926

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ba09274969f1828a220ac1e130574b34

SHA1
7db17ccac9d68a855c9b848e1d7022951f322b28

SHA256
380266c9cdbac992c1d612309379967975aa57d09b20302f8897bb443aeefb12

SHA512
1296aae148e48aa869e97c501a5a16f178206efde298c7e6f0eb2879eb024acaf838735e25a71df7a45298032bf3acb2627bb5a9c1c2c6a549c0e93b7a8bb8f2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
6cbca5aa83017ca9b643b7aba6d1245f

SHA1
57d61bdd32b11977caefe903f8fed851b5f0dbaf

SHA256
b13e2b2494589f8239b97c3100b5feac183c20ce93ba5d5b5591d0c0e0de7f5b

SHA512
500a9206378124401f5aec307da0e719e395ab5d4abd0453a40ba2c0d289f498b9d69f80047093f09c35e63f47c130cb49cdeb48df609bb0f65e6dd14d092aec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
94e15c5129b524902fa0546ce2eb6a6d

SHA1
2acfeab679f1b9860ffecbb24ec49d44a4f6aedb

SHA256
df6b5d3ead20dc5311e7f02d9f55bf26a7c5e80706778b0f863e0872a699fbf0

SHA512
ee88ff7e2dccf3dfd60d3dab3112253038340888f6452c0357516bf6423ac2d86df160ac23529e8c3d47ca2c47c06840c3a09d1b82fb7c3878c280167c2498a7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
7a2bc47e64628e3c5d75cd66f2ed106c

SHA1
058aa4406ddc7729afc87dfde14d8f03d9bcc7b0

SHA256
fd62e6dd89addbcb5e52c258c57d8cfa85082660e4aecdee4ae7962532ca88c3

SHA512
766a8046d90ef06722fc1a9d335d9f9c21dbfd151a493f6d39320d2dc387c71dbe4635380a00ea47a8fe613d3d919dfe423b76eac7ede8e1fcc2b262f70e6dfa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7f12fd6e5dd2001d5b706eecb98ae348

SHA1
6c19d29c3e6ef7a8228a9a3ce0e3d91bc744b2c8

SHA256
2e0090da66efc0cd2b4c8dd177f360275029723fcc1a1af7809782a44d7353ef

SHA512
429783fbec521a936bbc8ec7a57f36841d115b370b1f2ad7816eec3cdd84852fde7df8e985e5354b9fd0dd3f37074ec498f9086cd052b6cb0849528926e33e25

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
8718edce698e6769a8d2e1b9b0f9313d

SHA1
ad6b8de1f0147786551e6a24bea99a03a1eef9d8

SHA256
94f4a471092dd22bacdbc7cf92016bebb2482e3122054f4516c2d8f5f48a2708

SHA512
21ccffaa1975d28afffec8151ef983dfaae5e3ce2f29d01afddf9e4ceea27dbfccc8c5bc770d4f18e85fd5e5380fa1f28046872765201697c3abd1337c8447c6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
f30db258cad10693cf2299e950bf3b19

SHA1
aadec24e99fa4fb7b458a73648dc03c89fa5aca8

SHA256
8a5fb6e9b337b8b8e33b664bd534f655e451705268fd6f8778f4af85cf7aab13

SHA512
34cf0d75393d948a89cc45da2e8d79480b35f363eb22ea6ef96ed4fd74405d6cc6371fb57eec9cc7f2989737d54465c5e81c81092c8d2c206184db8c439c8084

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
a34123378177784dc7e3fd9a3b612028

SHA1
7821db57e138203df11463c498bfac6c46ace07a

SHA256
d5cab645bf54090c6e3d64218f65b9bcf409e4e45846f864315b06075b04cc06

SHA512
a506242e765451c108ee80576b011beb450b3b959b6b2cd59fe2071940099e55524b584bee451d0e87e78f3eb2f3dcdc747a57971d2c577d62137a2e79559876

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
439fe1ccab12e0555735aa3f6640a15d

SHA1
8392b4a478d55dc5a005849e0c63a311da71ad3c

SHA256
b83f52e3d393539134edf69f1afc1d9041e78a5e03741b9e148514c4f8fce877

SHA512
91a46f3380006397ec29624342e440677ab9b392974546d6f193e004d64f598bf4e37f81585fbba86fdfd6540f00d482e1a3d492edc4eb41b6de2f2dedae087c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c3fc4d480235abd8c6f2ed58159a9bff

SHA1
1d15ec7126d6786b4ad81e91ec87a58fcae6ef76

SHA256
04fc8f13430acdd60fbbf850ee56207a731342ee09e8dec6d34f206371d631db

SHA512
66122c994318b7a6404a4cd14b348381236302ce524bd156d99a773b97e7b3b11a2408bbc4ad7710f7d595635ee7f41a28fddd63870e7d5a3503cf3ca4a4b36e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2f1700e49b355de6fae575d7f911594e

SHA1
061c901b3dd205d9d64a431927dd1dbfff4409b2

SHA256
e40f2ff37953115d0ddf1399c3a78550382c26f43a12232c4041382ffaa31885

SHA512
d8ede99e26ee4c6460ca541e14169931991a27c2b1720c6bf08f53d4460c22a375ff8df03d78b1000d201e5f73e4e467fd50b92dca98511c3f7a470a152973db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
ef9d3bb98b06462b36f315d26bc070b1

SHA1
cbd9a00fcabb4551a3ddfd63c3f9dede312d72cc

SHA256
12f64fb5e4bddb14b28fde4e2cec762a8e402f0d9a7cd89cb5cad29694abcd08

SHA512
f416ab3837a6c9264fe97340ae70ef69fc6ad192cd212a9cbe6ce6822bc50027d167bb519b929fd5fb64e047a8b074e1fa60fb3d5dbeb7e5a67a10261a9d32d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
528947cf1f41f263a3963c25d403139f

SHA1
858d90dc574e0c0192ce9ce508a92802faa27c9e

SHA256
aa9703a179bdfe58adea87e8bc7762c95290407836b1b9eb7b285d8f71c952cc

SHA512
b1cb4fa841f3ee4441757e619f6f6b144188dfe76a2715c0a30c8db6aae068ac779530d35b5aa387a8865d166ceacd957634237ad75f55569faff6601e6b5af2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
072273090b3bcbf2fa6acd6ff612d8ca

SHA1
6f5ea1650233b7004db4c3f45c41d207236bcac1

SHA256
f608d13075adcce01e058ce99755f9b6f31c106c5881ce33f06c7a594ff6167b

SHA512
28cfab016b3f5e501b6da332c0788d053d8eda335d642d519b1d53d2ed61f823b9c118aa74e9cff2bb8af38a2fcafdf3dc81987bcdccbd30f3f5fb8d89f562f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
151158f918c7e120e572de210336a8d4

SHA1
a885182c892626291006a3b497e14ba157f126e6

SHA256
26607d947c0ce1addb5c85b7b5d8e336a355ea276721ec4ce13bc8b6249ea276

SHA512
1581bd10e6366040ba7fd168b43fc452383134c31f33d7fa49a635ddb28bdae370b417bef041a93867d6c312c8d75f22b6cff78d102edbd49cf7abc1219be850

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
3de28fff6958136ea2482257a185ba75

SHA1
3f49fe27962860a0af7c76a6fe0e0ebf758e39c7

SHA256
b151b29dc7b8845f7adb7bb6b684593b5fb7dca54276ea88278020e07c6dfcbd

SHA512
6ec0ac54bb238ebea949448042c4f85719ed1f8ebde03007efe4c7fb83a24efbde855eb13a973a0bf852c2a8b24324fdf11db93b6874b5c8350a782b2aa3cffd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3734a01a966da18871334b58655a6926

SHA1
5327cf3d010d4d2acf20b5b9021e110a9ef9713f

SHA256
d4750eb3be1cf30248c0835768ceb6fe9ff8956f4640e4b3b69a914e7d07154a

SHA512
d4b8ec3c6213a2f43bf0d144eb44378b0d05574fd5a5480c7e8ac8777459cb4b98ee535860cca9cb6b85192cab0fce60814eea1f4287fca2a584f6d4901135d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
0292b647eb10d5a283cc64ff02cc6235

SHA1
a0d4e2090a06159538d9b43be311b90e0d57670a

SHA256
44eb0b099627484f9ada1480e474864c76e5b9073f21793ecca29551bd8f1fd2

SHA512
a88e7ac9fdfbaf411d22f0c00bddc96abf824e13a4e1ae2763d230984e2249be38b76539a30790c2449e4a75c7385e4a209e85406df992895d7a318f88535b29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5d2ca3e656927af4ab4816f22ed2ccf0

SHA1
24da6270b0c9d34c6200fba9dd6009e894fbfc5b

SHA256
0e27aa6a9657a0ebf925e027b093555cf07dd826098e387c9cd18d85fc3b12df

SHA512
877dc530bb3b1e5460bc4099a424d6ec9d5d68495bf2e0b6ef10c62c563fe1fa184f6a32c1d0ce09471218f25478d84e2472be27053dd39d51397561bbd0cecb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
826915ceaf09ca8e4149d1d96b97848c

SHA1
a4ae368a66f677d7dc6f6e66867ccb8f9f79741f

SHA256
495b4dc93259e7718bdcc753182c8c0a07917c9e8ca41242c38f72140f911db3

SHA512
e6af0f53c64b690bfb34a75c7cc5c7493f716d4514269c8f1094b4a8c589c2a05b714a4f942a04ab9594112f6989a8932be82e90027ef5256fdecc1ba56688c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f75f42414337bdf67c45b5b06deab422

SHA1
8a20ddf70a9d9cf3abac9e3c2185d990f3c5913c

SHA256
3d18f5cec9754127a69d82e161274df547a7c88a5d6e28b042fe70dec9e008d8

SHA512
626d9956a48bd8cfb9f2ddcff9ba9da277f4469e00000a9637dbd054e389cfa49724184f13423ee80a19aec78f1e64846e8d74f4ed65174e4a6b85b0d79ba159

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
3a5d620fc438e3d487d3a50e8436abc0

SHA1
d574b260d35fb276d3edc2fe061d2634c56e3d26

SHA256
f933f9dadb07b2eae1723f600f3d9325b7c0f2b3979093b9d21bc3497e735399

SHA512
42b6ef107e8ea25cc99d32cdac8fa0469d59559c95d259471c109d52f6b7c707e57b2967a28d50f0b1a9e9603f72c6d96b6e82b77dc59f769c1969f60ea09049

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
6b271b4728691f8360660577d3644764

SHA1
811b39983b11c84fac4bf9699631faa0ad4de965

SHA256
c34a7104582fc1b51b687cd5ec30b46a8979c3b5f2032e52ce41acc4ded98adc

SHA512
f3ccecf6fca838df5591fe1b7f7b8f8561eaf7986a77c243bb23a907ec1e3f03ddaf32c40ef5242b8c3e4b48048168935bdf4a7db96657e044b21b164fb4b8d3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5f7399f57d852d88483106d0367000ed

SHA1
6d571856f689d8d176314ab063fc17bf30477810

SHA256
786f7683aa595feace8a3afd687362d3ed7ea06e542c3315afdaefbbfb26c9e1

SHA512
2315a2509450b7a0ade049c251b3a2486f7bef4812a7402cbb97d3369522b5f708868dae8d385f83f347d489196f01070fe70add5650a95bc4bdfb25d6ab06b6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
33588278912a973314876ad3903affbc

SHA1
d16d1e979e169e4db7b98863052565d34733b0cf

SHA256
0b9ee3557d133cfe981bc563743858117135acde06a7c302874c4be76710ca79

SHA512
15047eab23356d7a08f740316ce610d93ac25f89ba2da1fb436f9085b1522eccc8ce9cfb9ac9d1c3b792be3a4b1d97a61adf41cb4f2ba743619bb050b3fb2f66

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
565d0f18f950b3a89f5906b636a7a6b5

SHA1
64d566606dc15d2a51840ad49cb7bafa6bdb5048

SHA256
6325262d45ce4ea3fde23e5b0f11a41255134ff557c9466ae5e2bd1f886223ce

SHA512
2875e6c2e604899eb555010ca684f7ea89121b94b3c70505e1443731b05528d25a563847161f2e91c8629157e5ee004f8a2814e63a3822f971d684873cd26aa1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
d428233c0dc5f250510b58a779ea5248

SHA1
ee2611afe3e3f4c97f0c5444a72af695fb6bfd80

SHA256
0c695aa740d6a366b60f888955c1bfacf3ed7349bfb1995e6ea953840759d1b2

SHA512
62698133a81d0d232daf49d0af2a0c9414f8f245f717f6a6b1d8cdb048396830d87eb49d9b6388cb7685f6ee84c30c5dda26dcdabcbc79e325cf9077fa16053f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
d8cf26ef79e76199f9fad33bf3dffde7

SHA1
f9f162b27ea4ca84570f1f0a7cddb30a1c7769eb

SHA256
240326f10dec5a9bffa321984a2dc425695450aedecb6ce0bb1706b84c0e7a07

SHA512
9e50d0fb2afa8ed16897bb8a482a0678aee0b82888540fef3b15fb4d2dcb4cdbdbad425f0d011ee76ac0e182afcdfa231bb7a808f6e419b79b6bb90993782a1b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
41153eca2d98e8f7e55973df7023e8d2

SHA1
0ab2e467f24c34619c26447b3faf553b719c0ab7

SHA256
7bc8225f5c60e692ad14630954ca259692b5109a2d08caf218973f4d6a53c456

SHA512
2803f564fc1e9112b38d5a81587d612fec9053d3dd0a6ba09e3cebb5994089fd68f8e4ddaf00bd4bb46d4e9d05e6dd38a0359bb3a73f3702d89566e0a2ee4c58

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
97295fd33309176374ffe9ad94dd0bc5

SHA1
1a109666ed753bf589dd2fa356611d89e97ee6de

SHA256
101bfd8161405524efa6996f1e3dcfe7df2cb2314dbd09723f79f736cf17c799

SHA512
127fd9aa2442c78cd4b5705e3b3d393a75b34c1e84faa48a600894c29ce4b28e50065488c671717f86c7aa6073b4181428d2a76436a6c110dba03d1c3b317f27

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5f72aaf19e0fe8542fd61dbdcd50dd83

SHA1
8963fe9e1b6b7d03a022f9ef26ab9655182f8f17

SHA256
41b57bf0f6832d828a4c735fd152ca5c4b7d7f78126bed9d532d94fd41043e44

SHA512
031faf7cfa6119f5326d8a9ef23e7569baff5856ae99e3a45d10f7abed580c158a855300b54f3b0ce63883d28628fc909c87d943cb9e04614b0b1351afd7b797

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
fb286abeace34020df50bfbef7f36463

SHA1
2ca48096101fb8a8d765633ab14838742c473e39

SHA256
5ecee5d703de115cfd3ad29219750cbf6855b3d77d73d2c0f84017dbd4cf35ee

SHA512
d401bf8b15e7105cde02ef69feec0dce60b366bd72c03d1046a502b2aea31340e00606508386f372b51e6f29029185ff82bd69b08a6ba8e1bf3e3b9dfc7341d5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f6b37ada3307f41a92184c37bdf1d5f4

SHA1
25addf801411b6f3bf459ec1f575096a61874c93

SHA256
7cc35f0423e8e866c62582e55f6cd1b04726440c8b6faa3d2bf4411b80a22810

SHA512
807a06a4b8ea5b1dbcbe0b10694742ce7655e919d6f215dc3d7e4533c2f1f07370e4cbbe326682ed46891bff3a1b78a38f4a5db8d832a35091e98d1a0da69688

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ea7a62a87bc7438fac2c7e4ea6ae5d9f

SHA1
3ad46f7b43cf69e90f3cdffcd553115df87766cf

SHA256
81932e9c037f50008c79158b19f0c249c8c64a9626ece1101df9f8fa00bb3378

SHA512
b09e4bfbe1deaba0703c5c065fd0606fb4f6576d866999c4b87de60d90d5de9eea712c7a44007403b44615cfded1b64a96ac0b2273a6457f4fff74c7ba20bea1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9fbe47567d1bb76909802c382751bfcd

SHA1
a2a8f5459e97b591307ced7ce782ca9eb8791218

SHA256
61955114af8320c92025a8527437f27a72305a1e973302c7bb6b7346bcdfa1bb

SHA512
994608ded666eeb9a61aec4f1537926cb48a3e33ba717a96de685be79dcc50d94ed1b23e50272b9b1c9ad8c0edff2cf9e54cc43128f690c60601e80874b61ab0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
21012d04a05075aaf25cc4a31daaf2be

SHA1
ba45fe610c70e9709e4206cb86596369c96f3f4c

SHA256
9cef4aca7eb6b4f5ab363aed5e850ef6e630874236bd58ca75c36dded1eebbbd

SHA512
52f0085a7bde9a95ce320249b050d3c37e9998b5398bc7c42a123bb92275b16896cf8101f2c96bd5095c1578e327e39cdbbac77a903c57c1a12e0be8b686de30

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5b1775104ec9c74cf7fa8365507a51b4

SHA1
ca1cf8acd8c4b34074cb2411d2647a32eaf6fec4

SHA256
4360ab3d5fbf57c6c345a098e78bab296254f8042ada5094dc2c929e06bce11e

SHA512
8f543414013c47f978c7ad1776f7e87a6195be05c053f1babf359678b3ad0e89570b61aa7c568e35ae5915d2378a2de52d32344ff374dbb6f1aec38b6e280f97

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
ed19b30985bb21e5102f22483018fe3f

SHA1
2c5e2be86628af66eea7f223014ef5a36f52cc7f

SHA256
b631a67abbf839773460939447cee7413e1bf4bb2a99b575b49838d47a5d7e6e

SHA512
751df2ee09153b3337e2f6af2b490399568889c105e219a14635a6937f9217c1107e2a1d4c5579317739134a185a8c6b905d5f0d80ac4b9a736c5c66ff617d5f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
52e8e7c40571f545d961664fe8c9dbfc

SHA1
f514320f53960848b4f9507ea8fe0cc40370865b

SHA256
f75c16a5d9f3f7a49433d39df8e10dc30717ba1d13999888af4ff6db8836946e

SHA512
ac58894445f2f84d08d0e43066013b036c8736625f117534c432f602feb69c8d924802a471a791beb4ea5c611b3dd665fb936a5b28d5b4c8778d60e9ff3fd22a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
5e300c695c9a90cf1d1128d3d0c8ca2b

SHA1
86754d6ba86519bd30fdcfa1146f8cd06e508dd4

SHA256
c7aae3ce6da539fd2c89d20b131102f69f76be980f090c576a6f24b311513174

SHA512
ca086f87df839e00056461ba0a45e8a58d86044939a860d66a0578e2f652b0ed100264b09966fa734bcf6e84b0b92ab97c4b96c1f9f04ef4b951581033c0a4c8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6d975c49ff4f25f7a9ba3f0c84510713

SHA1
91c0ac6de50cf84d374a360665c2b8d6aecdf737

SHA256
b5d6d7ca0d120c57573f84954366b38d9bdd1650d5fe3fdd721734fdd5f052db

SHA512
3fa0604ddb151472a2a3ff799bb85ee33a03db549bb4e6b280611c8b4e94a452aa80b09190e67676ec995579214ca52cc555391e0c1cc943d5841fe27d2c8462

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
20af7a75b4b81b3c23db0663b8258093

SHA1
b2552e528308884a6b3bacd8d29c78510f714e44

SHA256
413080aefac92849c36eba3223ea8c4d41538a2aa5a5fbf229c94cc67c29566e

SHA512
6fc24e810b93762d1ecc6627543db36fe8cab04fce4437e35d48932e1671f598ee86deb1b515d87388a3fa0d5c3ba3fe635c59df5f7f23989d1ae029de67d242

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
39d005226bacfc1a9fcf1d337565eb6e

SHA1
61558b576f9f4e8430d7e32a7e1a841e63f4c9e1

SHA256
7e5f4264d1b3ec3ae9a68b6f373d286f0cb20dddd7fdd2436630e89f000f5917

SHA512
2ce3518dc4ed3a72047b7ff2c252754b1b8c899fb7978ed662d69874493f313cf8822386eefe6f72ff1f87f8fa0b6c5dfa22e012f00665a90b6040ad6c3e4b3f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fb0cb6d0e744942d30725b92eac9b6c0

SHA1
1b578c418296ef0cb7bf1333da35635cecd1e02c

SHA256
34280b5028ae3fc239c7c7a38dd92e14f3bfd636cedc427ad12c2807071ada36

SHA512
914df21da99aae367b2e5478b0c20997b6d095389777af0dc3f2d678c397ba5d4aea029dbc5e85ccf1f95cd461ceb2b1f9df348f694cefa087d340d8447dd7c6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
2bbd6c3199a53a89be151ef5c06a5309

SHA1
c09756313e5c92e3581b6cfee4e28731c0a70168

SHA256
e048fd2aeae9e1dcf3d11241c9a53f7246985267e1b2ce366a59851f5b386ea1

SHA512
0c3277bb0ab8adbee9d0a6a1a097407b7838a3479778ec17a5935fcca9853daee5a9fa8c576215ccdf7dc8fffe1230b921e4c32289df6ab9e134a8e8ef39155f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a3ce5027af58a0938eefa4d180f4b2f6

SHA1
11aceda00840206f66c3a7e9144ed07832021d4d

SHA256
1cc598b6e7530a61711b2f85895ccb34a5331b66069d8caa55691d8a5be2a7ac

SHA512
2da42fd630e80d12c888e8367645e1f3ebf62ea94a0667c3edc8b7253e324eafa2958bf1f824e712ac2ede541f7c3b67e8c1010ac8d3c509a53ad5296c36795d

Download Submit
memory/380-565-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/380-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/632-83-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/632-85-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/632-77-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/632-71-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/632-79-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/860-568-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/860-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/876-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/876-571-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1136-86-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1136-98-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1372-30-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1372-24-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1372-32-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1944-53-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1944-169-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1944-52-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1944-46-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2108-556-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2108-146-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2108-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2580-99-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2580-219-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2824-97-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2824-0-0x0000000003C50000-0x0000000003CB6000-memory.dmp

Filesize
408KB

Download
memory/2824-18-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2824-5-0x0000000003C50000-0x0000000003CB6000-memory.dmp

Filesize
408KB

Download
memory/3204-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3204-182-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3204-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3204-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3212-191-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3212-553-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3304-562-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3304-202-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3312-125-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3312-242-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3388-41-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3388-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3388-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3388-35-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3388-55-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3476-170-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3476-487-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4044-564-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4044-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4184-432-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4184-158-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4416-255-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4416-570-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4456-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4456-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4464-120-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4868-119-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4868-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4868-10-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4868-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4896-135-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4896-254-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download