450f0489b0534da24a56b7c2d0b33ef2ffb9d82b3d58b8a7bc873389ca945f2a

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 06:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Size

24.3MB
MD5

92d47fcd78dea1b6daba5634e38a031f
SHA1

0eaa3c9f7558934e427aa9fa546bddc85e187be1
SHA256

450f0489b0534da24a56b7c2d0b33ef2ffb9d82b3d58b8a7bc873389ca945f2a
SHA512

65d10fdcd5ba313423b254fb388d6da7a193083edb8b82ba2e82848b73947a1c29d892a4ac53a1e6ae9b9c165e8f8f05f98d9cd401b7085bcb9550acecf828c3
SSDEEP

196608:cP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018l17:cPboGX8a/jWWu3cI2D/cWcls1a

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3360	alg.exe
4580	DiagnosticsHub.StandardCollector.Service.exe
1692	fxssvc.exe
4152	elevation_service.exe
4920	elevation_service.exe
4348	maintenanceservice.exe
1764	msdtc.exe
384	OSE.EXE
5024	PerceptionSimulationService.exe
1972	perfhost.exe
2088	locator.exe
4296	SensorDataService.exe
3600	snmptrap.exe
2564	spectrum.exe
1108	ssh-agent.exe
2592	TieringEngineService.exe
1388	AgentService.exe
1956	vds.exe
908	vssvc.exe
4408	wbengine.exe
5228	WmiApSrv.exe
5372	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\43634e98c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025fa8c3126a8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000898b552f26a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000568d172f26a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d17022f26a8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000568d172f26a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f31e672e26a8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002fdc062f26a8da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1692	fxssvc.exe
Token: SeRestorePrivilege	2592	TieringEngineService.exe
Token: SeManageVolumePrivilege	2592	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1388	AgentService.exe
Token: SeBackupPrivilege	908	vssvc.exe
Token: SeRestorePrivilege	908	vssvc.exe
Token: SeAuditPrivilege	908	vssvc.exe
Token: SeBackupPrivilege	4408	wbengine.exe
Token: SeRestorePrivilege	4408	wbengine.exe
Token: SeSecurityPrivilege	4408	wbengine.exe
Token: 33	5372	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5372	SearchIndexer.exe
Token: SeDebugPrivilege	392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	392	2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3360	alg.exe
Token: SeDebugPrivilege	3360	alg.exe
Token: SeDebugPrivilege	3360	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5372 wrote to memory of 6012	5372	SearchIndexer.exe	125
PID 5372 wrote to memory of 6012	5372	SearchIndexer.exe	125
PID 5372 wrote to memory of 6044	5372	SearchIndexer.exe	126
PID 5372 wrote to memory of 6044	5372	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-17_92d47fcd78dea1b6daba5634e38a031f_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4920

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4348

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1764

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:384

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1720

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8
1⤵
PID:4628

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5372
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
cb7144adcaa742af9d75a41b37fde339

SHA1
5eff12d3ff172f4a68339ed049210c11c18626dd

SHA256
94027d703369173ab12fc59e79f39627fa54aff1fdef8fabe66e86ea74eab8a0

SHA512
0c193d45bb15d886380259e1dbdeb85edfdbdb0d9e260671f6742f08958889904de69aa82ff94ed7b27128cc431e43babeff3142187350cade84d05dc9858ce7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
571a82c5e2a401c03ed3703669a03289

SHA1
30605aefbeef7b30edaaf5db96c9ea6b1255a9c5

SHA256
4c4eaec984c6c7f4204e01f768982b15d16aca3bc09cc8f8441ea552d23492bc

SHA512
6c5a0d34ac9b267ec1f61270d9f0a941b714f22714d8eb8ac4914d8a23652792c390077ff232ebb5d5ba13955ae02ccccfa0892025c2667a907e1a46b278bf2f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2fb3eabab70f22c503ae3ae645971099

SHA1
e056611c3d45b591671fb017790d7dbf6a9e0dc0

SHA256
25c734d22932205107087c18b05fde89bca8e72d567228ac136517f86ceeb1a5

SHA512
51929880ea013ca2e91ac8f070eccbbb0e7ecd168245fd999df83e32f0c15b12e53b9e996c661b4453102f35161d0aeee111631cd140965767389d2401f90d16

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bd31707617793c15d01aac3fa65a37bf

SHA1
7bd8ff02ca79bcc0ac324bd0527e8342ac0a128c

SHA256
1562da96cb0f1d3decbf941a5c4ad59f684f86a43adfd27b240a33b2c127e1fa

SHA512
177aca3f301740f6e89927c2f11f1c8a494246919e05902d1221a65293623e05a8c2687681818cb1085574aedc0daa674463c9d6c8073d28222b8a61efb5be87

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bd54a3d850c8fc74da8bfe474097bb01

SHA1
0c33c81732a965c8a2492198c6bb192c822e65dc

SHA256
640b29b4c6852ed86e39eca2324c2aa37c022803548b1ec3af7a0778b93fdf5d

SHA512
dfd4a6eddb935c69a5dd3221318cf1996ae145a77deedde350faa87d445d9788de5a7226ac1b9e211f1e1a32365569f668e82c5e674d61b53e209262ca8e94b2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
95326e07437ec0812d9453e95de04aeb

SHA1
4f10c73baf8073f7e903581171b55de43334cc9e

SHA256
e5a7df973070af5e218a16ac42c1767d414537bd90717e885885f27d52bbe672

SHA512
e0bf6e6036b7afe314f48806c4900189493d87733b22f86e9ed89cd0f21d63b7f99a5c1254799da2e602ee9605dd03452d48ba4f9bad725bce25d9b70b35e035

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
2c1c5a419b39040b94852377f91e3cc5

SHA1
a7339d3b34960d89578999978966dfb6cc64e8bb

SHA256
14ade38b4d142c6fe32187f4391af900d0f0576d3b92dbe1460c2541eb97812d

SHA512
73d80e073e47af3d6aa94036e18d8422d9fd51386946c8b625250c020045364605f2a483ac745b1728083e94907cb98c46d45001518e078c7361fca5061a3e34

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0c6149ea4d9384d8fa1fe3e7d272ea81

SHA1
0cf91c531fa3bb7db22e6072f4d5e6b82bacb1b5

SHA256
7d6c7b65a7792c0e4a7f3c1eb00ea63d66fe09e8acd4d90acc8572f1c4742163

SHA512
4d0c5881011c6694c7993db29fa303e78154a377c3c63916edb8cbecd945608476b9b08f3e4c713c1e2ced0e863d9890c6f33b8a83e02fbb5ea2a0093e3e44a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
42eb2302ff6f434f29e3d9e604b5e399

SHA1
21f375df5150e5b56ceb27d2edc05a8c329c3d74

SHA256
800a7e32f2c0bc6c188a6398b45f9c06e279c8507d22ef20ae5ddafeee19361c

SHA512
7c2d49793202f436c0572953cb6570246345bdb258ad0176471b4c43257d6a3f8daf05235890f48cd2e870a7c81be2fc881f33c58cffe899efc134282691dd98

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5a37908b01e43a9678231784ea417f55

SHA1
780c51ad0f892cf1abe0d0c2190d814b6ae9dfd9

SHA256
a07f94f8e396bcd5a46b064b25c12d6f737f886075041027275cb1744a4a4923

SHA512
93cf929593069daec6c3a1903283b4a15acb1b4d23528338c6f868feefecc880ac5a4af9bc97242a9b056b4a45d0b305871488a5fa7ffa6656bdd77a9ee92f75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3d436f99a9c771865dcfb16d50ece102

SHA1
77eccbfe2444a8e94941cd846e1af61af184212e

SHA256
0eea8ef45eccc872b67b6e4f9373fef7b1cce494deef82ef71b3f81ec6ae9ce4

SHA512
878acb14b3d9ac6bf5beeebd06df6cca1b522b3605060758fa60f1a1e574fe8430c87bac8352f25bd9a3727323cbbbcc09d881f83e39f06eaed09beb5641cf55

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
df0e44b89c2aafc322f49fdb22b1177a

SHA1
a00b47a4a838f88cccef824fb156a49f452ae6e7

SHA256
22b0ad6bd269c154f733b8bfda329efa5aa5f2dec6aefdad812aa0a754e77587

SHA512
875fbc7cfc983d913c9cd21b4eb6da891734f1b64751abb988a6c0835e40703665cca3ec8e6832fe51912f93e80273367ccf0e6ed705835209c14e18e3ec7a63

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
79b60600ba5e324ea695f6da2e739c5c

SHA1
ed9fbaf8df2ae015c9c7b78e183f3cbe68e3e682

SHA256
d04398d607296b90567841b0a616de773b839c90f7967d940bffe656daa127aa

SHA512
0430ffc5e49e15dca0e8079b04233e57d426ab9d7aaffbbc00b0a1b130b50723575bae88bda88efb95af65081c979e7fdc5d776964ea8d4b8f799723f6af792d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
0e6a3ab882489b099a2bb126fea297a6

SHA1
a1ad1ac6897b2c367745e6326f21600d5a4561bc

SHA256
02a3275a152e3d836c33f726f78f3deea52adff2b7376a393979edbfe3a50049

SHA512
6a008ad96a807fe22afdc7f366df069349d3a28d5d4347d6f188aefe80d97db5a2bb478403c68e35427c5c3d9f3d128f197bc96e93390bf4112cb3702d53f482

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
783981eb3f56f839f18f714e6edd73d5

SHA1
93bf5ebbab350b8536b4cf3c7e3b1179c11b4ec8

SHA256
d48ab8af69ba67603fbb7cb9edc68ef8df01ee0a4cac20b94d2768dc017a1551

SHA512
6db01702fe738c9f615742fc97149a03aa71d74cd3f9a4872eda1e745d39d1fd5c8ec8e07e7b3210a39f5d16bddc252ceacb94282b74ea0f7510d0bf94b6b700

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e32e7fc8e6907dbcb068c6481932c72c

SHA1
c5a861b8b2cc56a3e1e417762a639b512bfb889a

SHA256
c5ca494484e82f3b9f4c352c92d936b254576d8de98a648a4b41e54ba2f8f460

SHA512
b70fac412d9f49aea10896f164b8f496813305caf0364363bf06a646d9468facf3f4486fac4e465fd4643730f06ca1e4510f8afd7d8852973bddee72c1d74784

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e04ab78c1af45ba536abfcfa2935314c

SHA1
95a78d1e40e14c561b7ed284a3a9439f6483281b

SHA256
d307c7e6a2dda5af0c66dc4e40f44c8d0ce5b9e9e147c8d7b80d2859317faabb

SHA512
3a9bc138ac71192377b005592b12067dfdd93bb7dec5c62f0441ce3dfb8e5e2751d982f8d7f4778151589fccf67b4befb02126d4e46a11b0b251d2b81508a9f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
afd564e5a38fc229a4107750db8aba0d

SHA1
1f0d2aa7391234c0d269e4b2d9c0951434fd8578

SHA256
7fec2ab3d868b9f9273a968e5cd0916fefe95f899da517727d7f71d9617140d6

SHA512
aad0abb8192180dfc09ee8c0bf94c260f54c32730577d9ef53ba169fdce3f139079cb00138c656d1336656755b1ce12e2ce5b066d4e204688f9b2a239dc1a842

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
38045c85784d77c069fa509e091ab861

SHA1
b6018b13d2ff61b441b970ff090389e382ffb116

SHA256
b9220213e516d0ba502fc34cb27a193586a69f310083a529ffaba15af45fd066

SHA512
f35abb9578b8619fe91a9b7d743b214460f3e3e175597740245a6549895eb8a2334c60be85f0e823b7dff4d377c89a6badcf42a39e72651176640229a41c9e3d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3dbf525099324063088ae055b7ef2d15

SHA1
87c35113a8ea5b9272353dca9256845313312510

SHA256
9da83a3b6acaaaca4c6830b68ce35419a87149c476aea2618263997654cb99a9

SHA512
9477c250e3aac1e56d44529b4e6317dbbbcbed4450ba33b317be4ea5a198c7afcad2b0c1b25608e8231144d80c9432184d2774e050a92e7996672ee1790ac83b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b3693f59082464b1206138dfc61fd999

SHA1
7016b0b2077a0059f48ed3b73f30391a1bdce9d2

SHA256
eec1df59816c56c962aa153e1aa89d54fb3b5342f97d30c69e673816d2b48e8f

SHA512
d860654f5cbc4e7c7312700e09de08b7f37675c453eb26d4e4008aa70a9dc44dc7423949e46cf5eedc5bf2311d9743df2ad037ef678bbc8d8819f109bc7589f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b6b07d52d9a2f7cfb2962829e140d091

SHA1
e1bd28c827ad14b3f25181212eb290efcd6475b9

SHA256
a85224acc0a7094bb20b3f539730193fa92a75247565a4acb2cb61e2e8bc2696

SHA512
8b57b5bec267b78756a379428fa0157d8a18bec6ba3cc83280536b1e30a4c4262924a08dc767994618d40efd75c2cad77ca74047b3b8937c6e8edc0cc3c10758

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
ff464e8db108cd937036acfd76fba34e

SHA1
46e0ef4412dc6f7296c1b99059078eb35ee55d94

SHA256
f36dc8b702646b6fb3f788eef4bab15c6bea4c8a5208ad728c4af0a6157526ea

SHA512
0ebdbcc474bf2a1f6b45ec781b7437dd757c467865ad8dee9b61e0594273d50d27d6d9a5699b6d28a7a056fb693b7b4945ae2fabbde991c21566ecaa5245bb6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
67cf3274f08a8d8f644ad91a7f1bea71

SHA1
68f6fe898bcfd9a2e245621cfb9414b5fe6edcbb

SHA256
0888361ee4c029fa201641c9d7694de7048e823df8a0a977c820198ad392f0f4

SHA512
1c31f73dc1184763d584a5cc436e31d5fc5a4eb14bad690c647d8d570facae43dd85a3ca253364eab5c9f376cf152d490431024cadcbcf7d9471c0ac7a373205

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
eb50bbc1557ed18f882e134c16d63768

SHA1
a89534b9be6704b7be7377510e3d71547f8b7ee1

SHA256
f2edbb851bce788a106b9a7e6db0fb047a104435902e870a4f05f0d8339747ee

SHA512
5b7f52e7c48c4037dfe1e5f950fa203dcfc4f50e2a5f6db835729e9f5a4cba96b259ae3ca64a3d030463abf02ba0aa6dcea35acee58ed5abb4f362928ae309e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9e38bb453076a2e4401f9a8447a7f2e3

SHA1
3acaef999db8094a68056998dc060977893c9d48

SHA256
1aea95de5eb75110cd55c4492cc9ab3da95cc1ccc16b3ffe670efc6160c85591

SHA512
185b561ad2455a302b0f27fb02984ccd33d0bbb4de691da3d02cdc331fd79b4a853fca64e9718ece2637ad0536bab93dc37a19df93d424743b41410f2731f772

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d7bfa5be2a15ce266b9613ea4b5cb69a

SHA1
88bd7d2f0736e1b32ce860225827cf3bb49f5017

SHA256
42bbf8ffd2bd1433d5e254fe2416a7f106bd3d947015fdbc25c83e3faad6b39d

SHA512
4de3c1ba4112cde9e184d3c29fe07e3809905cf9eb1a26df65281f08e2f07b2df1f95f4e2024fdebfcc79ad47e2aada7093b9cd27587fbdb1d538015b017e430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
44785ca6403c9698fd433c24ebdf52c2

SHA1
2b0da9656d62d70a0cdac0cc2df2861b579dffbb

SHA256
e7023c7f39c7af614becb82d9b974070b59992646fb5eb10bd7b1255ea91cfa8

SHA512
44f80e155b61f047f1879992c55d4b60e17490ad0f71892d5c0fac305c436c21b47aab0a8251b9a3c9400ea31a1f561d6ea1cdb7890b3ad687c9097a0b43a925

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f73841d436e5e7336e31437598c468be

SHA1
a73faae48bd9f2e4f546c1e9cb2fa003ce6f5da5

SHA256
d8aa420583c15f66a8af6ba482cea9b81b4504cd20419e2d1686558aab1bb285

SHA512
b6bac7998312ac125323bd679da97ed6f185a259b90fbd7ed854762084d8767005d0cf403b4d9c590de1fb00df2844c051f02a7619278711c05e762f5b6e1b08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
abee12fe8285cc32f9b968de0a0b55fa

SHA1
bc5d6f80382bad1a4876aa992e40787b0e7347d4

SHA256
0141b5964e5c0f75ee873e8a513cabe0266cc1b25e729c54da90a7edfa9556dd

SHA512
949a81c50aaa5cf8ceae90b12385dd545a9cbd884fc3f56d048bcb55e454a8af229078332fce88a47e13aa2ccb528d13bcd3569d7c4da0ec609b6b5c2df8018f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
0c7906cbf3eda109bc240c9dc442727c

SHA1
d47386735fbebf21e77907e88b5e0e6d45a5f85b

SHA256
a2426eed358682a27d9856fae36e1713ee205bdaf12135eca72bff9783a735ca

SHA512
5ef2d5d40ce64c6238c1b574c71f83f8465db093d779d35a0395ec572af70ee405eba2b807c35380d070dc5e0c3d94be3f1bd31fa64d6f7de541df30d73c3bb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a97b0834d38d458b82d060333d181cf1

SHA1
9c5ca1828a67479419670696ca27f680f22c388d

SHA256
30a904f15ca6084f101849a67f8028f975d3ba5e08d6af4a8590917987fa1155

SHA512
2ef9f07be2d65ef6832b7ff8cf5d30ae97fd47decb27189a87b179c09e3e4c247e15f6107a8c561a44ccb3c6150eefc16f1cac7902713a885994c70474de6e7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
591e24119c5a23b12364db4a190e2223

SHA1
278b0cf2b6e5eeac5ee5f4aa8ef3a29348b9b668

SHA256
cc5fea95d129f88751d2aac0c0c7d84c9f18d661e7ed92ac3079b40d3365597b

SHA512
bfe77c25d7f844d0f6bb5ec8452b62645ca843b478c3698b4b626c9cb381f2a4859e4daa38a3d2c301ac81bdd5219014c3ff2c9cc1f11497fb3c16896f787686

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
0e4ce0ada791194f79dd1a68688cb496

SHA1
cd7a4faf76d6f21e8f9e2ba19307ca8562f980ce

SHA256
9b2a0665f7518b18cfe894c197b40e9fe131fc62283747e005092f9c5a93a942

SHA512
38899c3fa63a780bd02fb7cfcd73c84fa1d9c2d65a3c019afb082b93cda697c05acec0dff2a0a84aa74531ee4d5caefe36610970cd0303116418eb7eaf96c692

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
05b28a7c1f1a02bf77c58d484b1a9759

SHA1
41b3a4ac3e0d8355f5f09127628536eb4ba5a739

SHA256
d39c0861ee4a7cfe165decae35839aefb33186d5d391fe5b7887925678d3e113

SHA512
dfe9be1dc23ac4341440c89f8943295d5752b456c013e81d4079d94953c743c1879e509d58e294bcc03739797522971ea37fbde0a7262e6504e0794f6753b205

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
87bddec0e583ebc6a5b67a51356c8af2

SHA1
ab6976f279204361568f90d8689bf14d8ae1ce0e

SHA256
1cf36a14b0a7569b5b86c00d6759b8b6f57d687b54af416df22bdded5f5e4b29

SHA512
e699814eac3ad7c6811a2a40fb1e3163d4285befbd716486e4b58aae3ec875f592307ae84087d7962e3e6f953c2edcaaaa9905ff60b64b578f91ad7616b68a1f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
3c2738b19151fb9f1ddd68ac5f2d9ce7

SHA1
ca142bdc0942af057307ab9d750075b985a62d6a

SHA256
27510ecf1ce6728a150ed74b3792c91923db1d8ad19e494fdd0cfdaa0a7fed6b

SHA512
c3f23bfa3be2d15c359dea675536834ce2451f12717165eab26eddd5bf04aa3d4fdce3a5876ae86fa1e2cf22be9e216ae62f09a996d42bd9b6de528e538a590f

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
31b6129a4e1162c60c849d5e43a2917a

SHA1
38e49b5d7ce2d433afd01cf62b4090d1c6573046

SHA256
64bc8377dc9f890d941e5fc37f4b2c97d050b98501f7cd6f02cab1e14332f82f

SHA512
2ecda64c8168d65e430c3d530011827d2821e86d695c6d6a85d1faaec5595599cfe1b2c2a5d23b5d4624238e4a11657ea98f5ddda0d8dcf51f3b14f6cb0be0ad

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
342cdde3cb3b526f6bd324c159ec887d

SHA1
36d5c2d922d4f45e25c4f3c71456c6c347e6723d

SHA256
f64cee13aa84d84a523549a0a2c08482b9f5cb55514ea4177e12798bdcc1ca37

SHA512
ed7e7248a49b6aca112c2af3df71109f6101df7b541ab1629a87efc8d7c02a566522b05439cd735c1c2c68b7a8a51200480b36039a05d81871eedf47dfbf349e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d4e248b41302607b66072b1e2c730910

SHA1
e03b679ee03c035e8e6cd3cb7c962d148f7bf5af

SHA256
9b58201172bc5831b6891e13b8e6205b7999ef56614e86114c961a83dadba42d

SHA512
87fa665df1ad200cfee0cb06068a6d9e3c1d8908913c01f4e7bb811c2ecc26c3fdf2e371b0771f450ae778db958718c3c6c5c3146596b7277305e6816c622a5f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eddd091414689f4647b2aef8c6bfb7e8

SHA1
c442a9593b07b92d935c913d76e24b08166f5ce0

SHA256
72b5a44ed615958d240077b0109d379dacdb297c49dae293ed7f01bd4079dd7e

SHA512
344c87d7e021acbc89c319bcb49505156b3996cc43b4f480a7f074f34a17c0d8d39c6259eb62fc58e5f184e6fcb69dc44c3eb9a412a687bbcf9c3a2a4c78fd10

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
4396b2ecab7680d3ac50058698c893d0

SHA1
5797d1bc25e98bcf7f00892842b0cd0715d46b16

SHA256
9ceaeb8ccf6c41efb5062d11da2e73a392b887855c403f119b59daeeaaad1eea

SHA512
1626a42dd72cd248abb27a767894014009e4d970e5c539eec9a853d4465cb146a2fc5b353eaea0358521a161934c51f4f1568c7c13955260f37b005536957427

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5ba1fea4f0dcdc59de1fe2b8ab33be63

SHA1
88b35df1cb20ac5a8bb06993416df3e7d86c265c

SHA256
bae021abfe15515cc624587d395da4e9956d1d91b66faeb0b2c41ea00cfacb49

SHA512
bf11343d90657c970e921e4b91b1cad36b93f7d77340431f382600139eb9c16dc504cb4698fb6e8d22e20916648e297239d6a17c57e64c7cb9c6f5b78867e1d1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
d4f64e948b722fc8d33b4ff6daf97dbb

SHA1
2d9135dc0f5f778f32f7d6517f736d98766bf124

SHA256
8a00a72dcdc23a417d612278ac84c5e2ac348232ea58f5325cffacac55ff4eda

SHA512
c7ba926ba077cf94c37df8826df996c100fe420fad8d73732f28383969bab7b5585cda800301de940d12b698dd6853aff808d52fee80d35db593ed54b8eece09

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7827b244bbb95e9323442f5805fd11fb

SHA1
7ba184e3e398a421735ffd7fef1893d2fe48e5e9

SHA256
c17fc612c4f98ac26337d28586b917dbe0a5e0ac56fdc7ad4291cfccc984776d

SHA512
2de2429c85371b7badfa2ad6657fd881354ad9b0b6bff46c6f87dcfbd2018f82a7aaa94809309983b049cf4c5502e08be32b75ee6b863314f854e9c65a3f633f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7976707912f7d1d6d3ccc85ac8e85d6e

SHA1
5db8797a1bb8654a862f49e283da3ad4cbbb8a3b

SHA256
602e0f3e8ea137b78f99e18b582abe4ef1dd5e8d5670a77ac67fc510741ff349

SHA512
bd6a4688a74df20928bb0f3d70664a8d1ccf9a33683fe9aa0aaafda7f8ced7256ed9177db5bd05da1513200e42d32021d6a7fde2af51ac2b7292e2c26a223ee4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4fd201bed32059b6dfcdbe6d6925bbc1

SHA1
a0efb44dab0d221ed5918b404ac9f1560c33fe52

SHA256
2915aa3061fedd151f6e22c42921555f6700e61a13fb0e78921d4b20f02832e3

SHA512
04f1a0ceda9ce979229904fd8afcf71c99daa1ce4bea514111b70913d49d9c58ddae8f6c37d6698ffc055d8ab40b42ce1090d309616a956af2802d7fcc893008

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
7296f77f28231bcc8274b11922685c83

SHA1
8727a5e2b8c37facdc7e1e5ead55d195ba24f62e

SHA256
a531eaddc1bef8a8c794913893db3e5c0a2e05fa4972a566c8ebb26432fa6c84

SHA512
c098c6c3bc2979e5e8f1bd969ed0e1279d795009f23413cec29c565aa4c432c83012a6b4d590b5555341782c74067833b14d6f56aca2d2f4a382d2899cd393ce

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fab69dd73c995fff771c6fcb5dbfff4b

SHA1
dc2dd2211db6bde0857659541b575e8836979f2f

SHA256
f48ccfc84079dbb3432f9bc23472c939eb4e76d74a3af7f09e682966308107e2

SHA512
c2bf74eb50582031c51bba5f496b628a3c12fbb1e118514b05e22caea22e3059c8a1f84cc9736a5b5a3b1e1006714cfd79b54e9b38a0059b70c252fa38ce601d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b44438e6faa33b0ac67da97bf80f4a7f

SHA1
fb1c5a8f2f9cc09f6e17572fc10ecc24f602ebe9

SHA256
b940152615202d0364282f22f7eb57b74163b18709bfa53822977c47189cc2f3

SHA512
51e33abde5d33240b3eaa068ae6ae2666861f912ee39052359d8c3cec4c63e0fcef7dc46db0377839fac0a08198992bdf080fb75a5ab872fd3d29c1acfd87f0e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6bdf3124f7628ab34737f117f931d373

SHA1
1474da754aaff4a8ad8e83c9ad026d41e4b94ccd

SHA256
fa00f142c7096758e3e70d3f00bb8007daf66032b3de8e7c6d732207842567f5

SHA512
42ce87fab4f9fb229bbfcbea6faef32b8ec6819f2829b9639540f1326e23e3a5f1376ebf951713a02f1a258078c2ce5334e570ce802f55c5702b5b7aca01d02f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
dc471d33f24f65375ba259bedeab117e

SHA1
3b83d9994bceb58b884f7d0210f9b7c45446ba1d

SHA256
eba461cbc029c7489170bcdd6702cddee500b83849558712114093f7f4e59745

SHA512
2731fdfc8a57e439ffb7d84de8aa7ddd2971d4d42051b8b550a504fc99caa4e25baaf3604139ec7446f0db7694b3ab967ee7efc41cd60e95ff49958346918c3c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c56471e851645bf8a5f745e067725945

SHA1
96a52b7903b13e74edf820f10493dbe7b3e3ffd2

SHA256
7b4e8d9cb141ad23287384653a1f9c5638a42021fbbf97bcfa2560e019b7db32

SHA512
2e6d5eaaa22f9780f50b995bb7673a72b3b1a676b8704c293814e94be2e731297f1c8bff204a9b9b94e937eaf826fcf8beb0e447af0d0a2c92044247ac06b47b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3fa217c0c3f9b04f35d23432866f3d2c

SHA1
f0bf40021f8f404eb5a2fec908dccec87f8d69f3

SHA256
8ab1302a5b7ff29587af46455cc8bdd14fcba17737c0cef436a63e8e31fa8706

SHA512
31dec5bd4025773b9c766a00fdeb9590656dad420ce80dbd95aff816e28ac49f856424d79c94290392f5dea0139db71cf6d8378e3085d17801c9856a7734f498

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b999abb997731017a35b41fdaee72c76

SHA1
3ccf111a78b4ad71948f036419c326f15691925c

SHA256
7c1c65183b511cf148b879abd4d97acc1356feb5be7e1e04b8c2b2066d771282

SHA512
de11546606ffba830e4a23be4e62c578cc67c737666d333dbbe581e5d4da795591f642665d98596833eef097ef586d119d3441893181e1d8600d2f8f5b8fccb3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4e64a4ad78e01e509ddcf5e4d2ad644b

SHA1
a63eda3165290694a029ef4fa399a182831ef783

SHA256
44a49cb53c8cbdf65f55613a7c1f71952c79f3f46b064e2419607a8b2cbf6928

SHA512
e5ad7a12d0d9b584d1c5485b66960c6e69e810db0267b59988bca45c3b55b191c6865ac70ac9489ce9024cb0f3684ea54c08af24b4c57d95956e1fe0a5b4fcb9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
e7a6aeb021bbf7ef2efa60230d13e598

SHA1
ad8db94ea9984c42e976fdec71ddf8ae2d7ff464

SHA256
53d5991a69902d56a70bb9c315d7a9c40a08937f407c481a0a25187e2cb3c03e

SHA512
dc975caed31bcc2740a86c7dfe13fe3e6afa97128b3a1ecba63f268e4d6026ca5325f0cd533c548c6c0e8e46aa5fd2b0e2f2c9e33df2363bc2b1e4598cddaf2b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
02684c12c450a970313750c4d10d1b4f

SHA1
8a2541f0793a1c041c275e54147fc3c5a33fa41e

SHA256
3e9c7cb1c6cf456d6a9a265bd4a019097a3187e964d276c786bdc1b14ba6c13a

SHA512
2812690c2a497e063e49a3db46814608650a0fdca005836d8b4e05cd743eb8ded63190a0801a266a4ad3f5efe1a2d29cbb14f3b1bef95a7c904c2dfc522a03cd

Download Submit
memory/384-125-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/392-0-0x00000000025F0000-0x0000000002657000-memory.dmp

Filesize
412KB

Download
memory/392-124-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/392-5-0x00000000025F0000-0x0000000002657000-memory.dmp

Filesize
412KB

Download
memory/392-8-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/908-233-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/908-571-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1108-184-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1108-470-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1388-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1388-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1692-43-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1692-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1692-47-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1692-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1692-37-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1764-88-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/1764-97-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1956-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1956-570-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1972-127-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2088-255-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2088-137-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2564-442-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2564-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2592-569-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2592-196-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3360-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3360-19-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3360-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3360-152-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3600-392-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3600-153-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4152-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4152-195-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4152-51-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4152-57-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4296-260-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4296-466-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4296-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4348-73-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4348-85-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4348-79-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4348-81-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4348-83-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4408-572-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4408-236-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4580-33-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/4580-34-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4580-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4920-68-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4920-69-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4920-207-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4920-62-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/5024-128-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/5228-575-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5228-256-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5372-261-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5372-576-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download