78d5cdc079d06e4751ed3500ab95a8ab741069d6937c5025c48875e58bf1ee94

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
Size

24.3MB
MD5

479b18b1b08d1642af6d502d82673edc
SHA1

47951324c1308809eb6c5a4721c2aef05a52aa4a
SHA256

78d5cdc079d06e4751ed3500ab95a8ab741069d6937c5025c48875e58bf1ee94
SHA512

d5e2f04703c87ef2454890f3f4702a961cda17e35f10732184151dc42ad1a3be2b3813d68aae145216f15df44d4cc74371672701bdccb0e5d6e028edad8891e9
SSDEEP

196608:9P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018e:9PboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3420	alg.exe
4312	DiagnosticsHub.StandardCollector.Service.exe
452	fxssvc.exe
1240	elevation_service.exe
1952	elevation_service.exe
5100	maintenanceservice.exe
4632	msdtc.exe
3752	OSE.EXE
4072	PerceptionSimulationService.exe
2944	perfhost.exe
1548	locator.exe
2120	SensorDataService.exe
4420	snmptrap.exe
216	spectrum.exe
1064	ssh-agent.exe
4432	TieringEngineService.exe
1344	AgentService.exe
3632	vds.exe
2384	vssvc.exe
3996	wbengine.exe
5080	WmiApSrv.exe
1628	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\951c8c32c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a64b11009aacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024ae13009aacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cc4c9ff99acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5965d009aacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ed077009aacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3a5ae009aacda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ebd058009aacda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f600a6ff99acda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe

pid	process
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	452	fxssvc.exe
Token: SeRestorePrivilege	4432	TieringEngineService.exe
Token: SeManageVolumePrivilege	4432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1344	AgentService.exe
Token: SeBackupPrivilege	2384	vssvc.exe
Token: SeRestorePrivilege	2384	vssvc.exe
Token: SeAuditPrivilege	2384	vssvc.exe
Token: SeBackupPrivilege	3996	wbengine.exe
Token: SeRestorePrivilege	3996	wbengine.exe
Token: SeSecurityPrivilege	3996	wbengine.exe
Token: 33	1628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeDebugPrivilege	4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4920	2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3420	alg.exe
Token: SeDebugPrivilege	3420	alg.exe
Token: SeDebugPrivilege	3420	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1628 wrote to memory of 736	1628	SearchIndexer.exe	SearchProtocolHost.exe
PID 1628 wrote to memory of 736	1628	SearchIndexer.exe	SearchProtocolHost.exe
PID 1628 wrote to memory of 4388	1628	SearchIndexer.exe	SearchFilterHost.exe
PID 1628 wrote to memory of 4388	1628	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_479b18b1b08d1642af6d502d82673edc_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3760

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1952

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4632

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3752

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2120

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:216

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4120

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:736

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
ceabfedd1b1972bd52944105ae30c8ea

SHA1
13bb16a6681a15b66a6bc637b387ff5e660fdecc

SHA256
c14b27faf66714bed8a63da3c49e5168f6e6f12e6d0489bc7e9cfdf3253df117

SHA512
e61f184f0e49cbbe9b76c5931680f161e30f82ba21ad844e3cc6532918e277b0e4acd3c69c6c2610c625d1440d42007efbe2e2fd0ec58f776fa6af834ae7ea74

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
fd43bc299cdf22f3641d149f9d1353ea

SHA1
9e75eaf279bb6b4bd0234b0c3d2aab0070d935ac

SHA256
1af778a6b2d28adea129ae0bd9dc785b67c8783d9bf4ac5f62b06b52b9f87a44

SHA512
507fa806cc6db8fe54185b507cab215c6d093bf019ed6577406835da8cf9c11c8e55a26b442620bf2921ceacd0b58f3643c3cc83b2717eb56600e3001be705fe

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
ab69c41da7a2f003fb110d8febaa035c

SHA1
d39fca0e0d0436fe69eaa1a8851db19bf44dfe84

SHA256
ac04351b0ddb49b78c0629d301402e29a0f8a383a9bc9be0e8083e3891af7d72

SHA512
45782645ddfeba2fe0cab516f352af63ff74428e93729471ac3919e571c3bb0505d46f19886021f5106281da311d21bc19f7602ae9941ffc855efb824d7d48d1

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
cda24f0865258b43f9a72017c81672cb

SHA1
6b5c42de24f5baea64cc181058082c831da758da

SHA256
a12bc4d141ade3a6fb1c10a80a176e5cff262a8ab18135516098073de8300acf

SHA512
0d5b6d023f2b76169b5290dcc3bae5c04aef6b2e0fd467727d4be0add1f0d52884d5b7c369e05fad5829889102fa7566bb3de9bb7b057a3507725660b2627bcd

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
4d6bbb9031e9a2a03a79d3da3c4b6d6e

SHA1
e00187468862ec4a1230a9f4a77d09ada963d5f2

SHA256
328212dc51b2f02596f111946edcfa53cc34fbbd1e457af01dbe55560d9b5e2a

SHA512
86d86461f4c17c2eecce5893101c851eda19dbab010e3a90e2c73cb537b89ed22f3103ec00ab55974a23907360f4566a5a8c91f0cea291f8578bdc4aedede0b7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
8ad7ca2ea125de5b81ca362220130707

SHA1
d763a70c12ea63594d5446552961b805eb03ef5f

SHA256
5d15c13f376ca2705a76a479dfe3938aba82a3d7cab06860242c359f8f50493b

SHA512
babea48445afaf4dc35a640bd20af72d2c30a1fe6cad37459b718c767b8921ec356535cb43b39ed35aabf5a00378fd3aff41fec27f9a541360ea57cd33ec70d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
acc87f4a86cd1708bbed719b3e17adad

SHA1
70cae18cd30fc36184b8bb3c852efd40aee8468e

SHA256
451eb940339b0acaba30ed1b982429cf67572ef1beb936bf23bd4ba4145ce785

SHA512
90e265678f8972b8dc011b8f867b8d21757031c8f7d7b2e785047840d0a790a6d3f93a3815092f78b64c95e1b029d89b36ee018466d3c3db07f454d4f42abf6f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
174d9cbfbadfbdc1e82dcd7298dd21d5

SHA1
996495f004aa93d0129f227ab65d98fa6dc4f83c

SHA256
1167d584f3f74414119ec19516c34bad7230ddf40834e4780db5d08a2b47e260

SHA512
43185b40050e7df63db59733963ca40254092fcedf598419e547536bccfbeac42a999ded295ce9bf17b20743d120b7ea92ba7717c94a70febfb2b327bc1121a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
918dfa09f1c65a4b668c97b827154b91

SHA1
858e3aa7b28259e82509278eb61ab3ad2cb6805a

SHA256
686036b6c36b0caf9560c218f65f598ea676eb12dda36b68e9081a6b8b9b196e

SHA512
315040eb3a36b6b6b315ded2df7cc95a3a71280bdf34cbd078a85b860446652b824c49a6915352ef368e57496058340feaf03f2813cd8f8e1d01697864c7b803

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
16c8a46a94753e558e7b7e64a5c5ca61

SHA1
b89bfab7034dcec811bbccb418b7cf0acae74b82

SHA256
0b1e693172bc703e088354af1b997631fce7cc4711841c3a8b11802ab83c8400

SHA512
416b02e16c5954ac6501b45b48659cef26a2ded00874ab6b5791ba1abbc634baf53bd2cb85e141771ee066a7d394d52c73357078d9c71e14f33b311673fa6b09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
29128916b2ce7a3a38e78d85992028d7

SHA1
0dd8f0c98acfafac9f6afb9251e58d091950fbd3

SHA256
37a3cb34cb294f1c729f2370ad98dcd12f6261dbb7ee933784555854ef0aced6

SHA512
557026a458197f7316436062883faf040cbd32930d1263a58c3203795fab868cc45615da205ae5107975ccd9c913251f0e19def7e63264113d5cb22c85e21249

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
60f66ffc4367c58a0889222cbccc442c

SHA1
62e2e9560b2baf833f75dc6b8457c8b6c4bf7cf1

SHA256
d9c30b2245d5f90d8432e6b17b5e88199a4de6941228301685e1116596a60059

SHA512
fae4829bdca50ee72271e787772862d0eeeb7d02c9613206026de0880684374ddb4c245a9d4d8e0154d2e7cffe0bcf67a2216f282329f77695f3e6583b22e9d0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
508619ab6d7845453e96e0765284eeef

SHA1
aad2a13e43bb1641e68d8ae0e67ee94d95295d7e

SHA256
b256d64e4478304f9125e0495a66486ffb34a47adc00899d0ee315ab3ad49d8a

SHA512
07343ce96a72a58ab22dbd15b98d420934df8359c0fe707d1cc183f7781a2fd8064821ff9a13eac01a86bbefe1af519b87f0f12a9441d6ed7506bd9b69cbc344

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
6a9eef01d28233c12f5442b5fd4bde27

SHA1
301093c2ea843143be4a30da7fe491184e8db996

SHA256
4f261b4c00c0245541d5556d87f300690c70bfa2421974c02f224f539a2527a2

SHA512
3ef2165feff212883a26f94e706fb2dc19b381d1787baa46e4d19d83eefb2758a4b5ed4ce5c946c9538f798780ff6ab152a7a2da56d66f940a299dd4a178b764

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
9f94251f8bd84990d3dd0e80de2d35cd

SHA1
a116b97ed4133562a1367a636e863eaeeb701945

SHA256
921a0b402df08777d4e8553265ce6249be248937f00b073104ac071d4dcabc5e

SHA512
969486a9111d4b02522b30c6735461598c7a9fd3462cc75af2c766cb5b0c9075d2f4395a249ef317f9e013e508eef898baf02da04c0a002f2f04e952fc7deb81

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
97969280ae185d250d4c15aeded8e63e

SHA1
fcd9cfd485390300d733c67f71e36923ef92a277

SHA256
1438437c9f7108d583b298b53af35749e15191d52d05ccfbfcb6a0322ab12e78

SHA512
76ee36cf62a42c5a48f820212ef6ba0c3a68887de0b00dc9515b78a33c699c66ae6b2016766a29cf20c1fb24c46776f08651c7e4094aa3443f615fe7cff1fec3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
fdd12a38621ecec65dd161bf3ff2dc63

SHA1
76db265df9f22bcbec7d035a17c4b729d6f23f73

SHA256
963cd1b010854e97b16549c553b6e7695cebe45d5b4443ddadb1189529cca512

SHA512
c04104fb2b160782373c4a9604eb23695cfc7811aa573ae1b095d11dce19a859f43c5def086465818ad3f069d7f884f0f16f9befcda51777473162abb71b0792

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
1421f880bd5dfd985b6375b1d85b90db

SHA1
6b013c0dd066e56f2764a8d7324e884d0488f43c

SHA256
36a1aa295e35fe7dcc1eee6325dc85e82c161d0d57ce7d1b62daac370b8ea57f

SHA512
ad53aa236d56c55ba3b43cad1ec64291e5ce7c3546dd15d831a340cc640162e3b81197f206a5a725efdb4f023274b89f5c367b0577c0381331f9541400f967bf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
6fcddad9f256a651c1f6bb8c635f4e8b

SHA1
fc0f79082761c696b806cd2b00b81da47dac7437

SHA256
273a2511df82d7bf96487e5afee603c9005c5c57970e70ffcf2f536b1f3ab2be

SHA512
4a3ee2c712499edb728bf2527430c6f29eee8ab0f43b0a2cbd114ef22c38018c2f96753874537e0e1e13472fffd9f5902bcaa401dcf50f3cfaca301cd76819bd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
633653a4ee45995aa48972fde2836439

SHA1
3fb04c240183ec8b33f6ca9860f2d6e9adb9548a

SHA256
b3295fb74cc2bf02ce3a05ab3a80c7c785d40e84e1fa5b862800b6f27f16f2d3

SHA512
586e3b8d17a9c4317c9de36cc0849ef0b727518363681ecc8b9ab3abba009e94cceb1fbcb382034b72cbc90e1b2b839a375c3c80e1537e1aab16e2906c5606f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
450ab5274752902cdbe8d08a44303394

SHA1
a32ce7ab57c1f68b8bc50f5883295ad8bb7e975b

SHA256
196f300658e6da9baf321aa44da4f3324a3e6710fa65cb493e15a98bbfe99ffc

SHA512
b29e549018672b91aa88ee0ac69c45e6a7ad874a27989e47760136993cee2ab4fed0f1624a045fdf205ecaa4e71f2606c32d795e60f6216262ac08e33cbdbbd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
8410e349e8767a2ed3bcfdae784c4bee

SHA1
ddbba741e74867d54a31cf4ee90f0f0f7c6a2173

SHA256
236f787f45117c114b0eb924ff62bc3112cd7afa3e8493acedb605861f29bb4e

SHA512
7f870ee99688300be24cdf557e328f244f5c1095081674dd993fb644d918eb305ab55deac12f6dab05b848974facfe4271a787804c0f5e218ae70fd0c44e6e57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
bfa544b697b82fbbd02db448f8cfe0af

SHA1
d9b0a8b6aa732ebed665b6bf6b31662f25107901

SHA256
58e9205501c47af47180c8e7031cb2d544b16cdabdc7e1d8e68687302f37e46d

SHA512
830f56ee1a76c1911deba53dac992cb325b846a37bf7df610caa897df6d6500862966575f13448e3d96e613d42ac90b526ca0e0a766a971aa2704787e6298922

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
a57d7eb3a38ffeb52702ffdf116e48b5

SHA1
19157af15a5f02e5f6922b5315c31b0293f447e2

SHA256
32c9a75162e2ba7bd6d65ef525f5b5514b53276a11715be360e60587a35dc160

SHA512
729179c21d7d38cbf5bd6be1ce3a85dcd4138abc12e6ec1b551c24279d65671c00af02b3d61d6ed9e99b83720aa75762e424efded52f46f77eeb8254e4014104

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
8152214254ac73d9d112c0b7bea0e41f

SHA1
de49612aeaa1ecaf8bdde6ad791d02cfb365b17a

SHA256
7d753fccfab89805aabdad16c341fed7939dc441d2bad07d867893d7e16f930c

SHA512
94c9013971d27b0551d56dff35650beb7aa9fd234f44324a8705860b73666c5e0d7ae5761d70c33e7f60553bff931968e6493effe860966d4a704f65e8e4300e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
f0e0954a34c1ed3b32a881cea1b84d1c

SHA1
4743ba7c9c0fcf1fef2142e4243c90bb5adcf294

SHA256
248773bd7275475ea90d314b20877a6fb9e98e81558eb98c6691baeeac7caf86

SHA512
08e18d0902c205567d54953f52f84bd61c8cb94039eb86199e81f0c53c5ef359fe86bcc9be2358c1a60034b1c77f96676acb2a0b6b32c1d5064a12f95ac4d62d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
697f6fa93a8590d601a7718e52342e9f

SHA1
80c02e9249605cd3a8077bf558e494e6b4319ab9

SHA256
7ab697053ff9b0c7b4e271070d90a1785e7c13d2f7f6c0165d56b8074c6c5613

SHA512
d9a0600fead67276bd870e651d0eef21e09795b012cce3a55b6f9398ff4b903c666c5cf93e3a17f0603ad32ecfab84ef4853679cd360250139b4a83fa574d5b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
48092197da284b4f7a5a549cd4ced3cc

SHA1
d063c78b0692fc62ea1d4ef57c64c1fe0873bcf6

SHA256
2c8086191ef7e3747ce1bd82c376e62e172041d7a8c3567f23b295ae40ccc162

SHA512
fb89ab4ca3f8e63df088f6e689423c75985011a98805242075c954aa0667d3d6ddf1a3cbbb46bb6366d35a494b7cee86850f481eea1d16b0f60876942557e9de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
ad14fc3e0b92774b2bb407c8faa5ca0e

SHA1
12e09cbd8990f1ff329839e4377b11657dcfe31a

SHA256
688524f937aca13f748705920ac45a217477e40fd3c363350fea1e91bd3d3688

SHA512
6cee3a5c1ddbb91167e817427b5ee50fda5a77a4ed567224755bce4377225d73e57beef77970692095636083d903811710af6f6d4cca65432a81b7a3d1e34f90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
73839e854b381d5c3e4432b7848eaff0

SHA1
1d030c60125ddb74e8217dd7e0d3ee19f7e0c006

SHA256
ba5336c9735e9a2fd4e5de27c155d8c5abf4e8e2755a26f9306ce5e73c2784d2

SHA512
bc64972f00e7239a7f270ffd32b48f43b23d5adf1c3dabbe908ecb7ef87ada34754cc1cd6260c3048b415805107504d346c2859a54061d5b05448f0502bb36fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
08ce8131f569b1437393e51893580266

SHA1
7750ca22c9988f23a609e530ceb0f41ba629d637

SHA256
8169562f7efa0592b66a460c6b628749ec55257f01df509103f670967b8768b3

SHA512
25a37f27a76113a1443612aad1d95dafb61c51f78b886eef8b7d9ec4483bdfa686a4d902857eb17ea5c2cd3bcf7c93f190a0a841d3d4fa8af5fcd58b16d3e66f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
bba6935b048f6551479f59d6c068d337

SHA1
9fb212af67b5be8b28708332c684efc297d9f0b5

SHA256
82eaf5688ae65aa119373ab1128b480d12c42368f21df9a948c78a5db2c2edd2

SHA512
11a9895e12efa9aea28903448c4801479101ce8fe5d189680098c05ddca7ce4056ca7df8120fdded9f4c11e867450cc3124194ab37681c050ed78bf33b1770ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
c178d86e118dcfc499e8187cd471da77

SHA1
7ae9957594bdbce8a77397a8dea508b7fae4dd00

SHA256
b61e3eae0bae1796bfd431f7562bb9c69f55a4bf2f3991d56d277d62fd698600

SHA512
662bf307a6261d8bbc0f2873e984f352d9c26740c657653e9ab3bd526c7dee81abe73a4aee18cacd349ea3cbfbd221593e3ebaff6dde3a04e21c9cc67b01087e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
fb6f271ae3becd0dbe7b3c9753e3a9f5

SHA1
d74bd0a4a5710dd4f2c63161f8d93923bf607d0f

SHA256
d1edbd65cf7ebf375fdf689e25a813278b8ab2549f0fc713b967a40bc7cede55

SHA512
7794f7df1b4fbe03f1edb8306f30a57809000ab118ad4faa9b1f416f39de0e304e4f5b7f767e5f81cab3c406fe256d4dcceab5825743cb8e5b6df93aecc4bc9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
a1a1b88501b9a557077912a974ad5430

SHA1
38b95b77cedd4d25a070ecdee52385d3465fbc08

SHA256
57c55cdebb1b2bc91bd920f834891fa2dbb8e610c67d7ea43da278694308f0f2

SHA512
bca663fed65d59a61aebb37d028e61953e594f8a66743fa1e6b9b241c5377d7622f55988f8c55b440e0a0e8af2c3dab1d9ea5c4db726b437f11296eff1268589

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
8d40ef31a5d2730fc151320f72488a74

SHA1
f7b2a56bf517b38617a7dd104e88b475208f070c

SHA256
414af3bde698ed38ba597596f4f942153da7829f7de20b054cdf06b8b57a926f

SHA512
eed4846108db79b180d68f794b65fbd02575fd9e25eee08061fa2a5c83145f3ac6218e90a1757ddcf026aae6065feb7f402649aaa3334d58cdd8a5b59a5caf82

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
aabf33ff59c72a2ebf4e32cc3deabcba

SHA1
a8a01a4c13f3200a541aca9a759955bb6c5e3b1e

SHA256
5fbc5c11db6bc60a15126702c00f1575f9c17624ce32e92529a01c229da26cd9

SHA512
ebb5b8c198f31dbd10507577056ef213666d122227e58fddd9d00d2c1e16beffb2f3b8aa33089808ffab87f805807dc1241e1e944aec07000b40fb85f6922301

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
4aae3c59c658e13490dcc62020bd1b96

SHA1
6d9c80e4fb1de32aa0c1534c949610b2b59f5d38

SHA256
b8b3b8c24823a0b947b02385b95310850fa36446d4b41b1b72c730dbc6e217cb

SHA512
9107bf73835ede974411df189e24907951ec808eb53dcfdce8b1951574cf9ebea5004f1ada97698988b7b35619b1e266f3a494359fa5ce77a90fffc90be99150

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f06338311c43e39d4061642fe61539aa

SHA1
b149709f304fcbc4232b2d03fd6d839ddb719865

SHA256
548dcbf07580800c4713c796cdf7cfe41eae0182d6cf8ddcff11031e7e0494f5

SHA512
4ca81b4d2913f4dd1dd8613a0988786190f7fa5293bc629dab10d06443d6d57f75121f9a605f09172dd9355ed6c6b2871aa72f29dc1db76c2924a6b0e8ffd34b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
90a144ff5bcff3fd41b32b261ec2c0e1

SHA1
a46b3d665917e300eeff0ef2d3da872a0ca961c1

SHA256
6a093f40b833916008e0d1f37330ae8aaafd721bc33118732ca38f0babf6005d

SHA512
a8cfe3da4ff091e547b6adaacad5ede675563c80f7637ce3e06b51aad47c6b527c7241e1571857f9daca953d34c25e3f19a455dbca28899b7641ec31c2804473

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b7d33f4fcff8a87bb35cabb2dd3fca3f

SHA1
49509b12078ee378ec72e431f64a53899d5aaf44

SHA256
9b44bff5fda22454f18f34b20d90639a4f99099a94a7ecc689a294506e2a810a

SHA512
c637966e474f3be39c208d1ff87a827ea05c4730ea9c5930f9e0d688f9cc0ae835c3794e1f7a4c60b071b43a4373cb7bb48236a2b3c3437af4c5dbc998f0d2d4

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
428d724198f7b10adc78f47460f9c606

SHA1
5c47a9f5716caa681e3852ccdc4f3594b3aee5d9

SHA256
64831c2d729301cd33479d4b24afaa9d28d47125360eb51f52fbf84c56012c23

SHA512
deb790e2e9354472e0d177f6d3fa4a238b37d16ca35c0c2d8d027ee37ae0a42e88964507766555c715dbecbe7eaefb74c11a0c1926b88a649e1dbec13353b169

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
21b86c1366f6ab93d76b119a21f88b23

SHA1
452e87def73a8682f483d24d1f385cbb00a46eba

SHA256
552894bca261027532b41137dbaff4093658d81dbd0b7b741aabb21b5b360935

SHA512
ad6d719255b5fd6f118fc3b0fced64f127591f505498f4f6cfac17e8617f52b8fc6829e664c19b7606142ded917152381faf751e3b12b25ba3b22588ef67b145

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
5475e4f25751d87162db489784703c4e

SHA1
444b7ef7f1eba8ad70a1ad3015d28249ee8aac4d

SHA256
6ce568004a325d2f4f60aa36a7445a798bc58eba527086011ce52e6e98264dc6

SHA512
9f7b14f6b01ffadef3c2ee188b311940945eb2d6175dbfefedf73c05cde0af7dca623cf4c3b36a4b95ba57cfeb915ce804cc128bd39a5348f0aa78c715e9e21f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
dc9b0d83d3bd73ffe9878ef11b7cbabe

SHA1
54c3f908b7312f3d099f7bce5b6f7b06a00d26a7

SHA256
3b829607a0d8b9d3418d3ea7c0e8b2608ab11b93f9ad0b02de8d9d42299aa9e7

SHA512
634e91e9094c783917b6e53e2faeac9807e431c51630fb37269dbe00a496e88150e7d4438e33d3229ed201e55ce33bdced4b34ce7e1553ed7926934118aa6f26

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
5e83117ce411b4fe295d618058ff2311

SHA1
522783d698769c01f6ebb38b453920c945c1bb5d

SHA256
a13d4692551e3948f46c6937b3e4c3261075b93f451a12eb0720806d27d8a394

SHA512
843fa6a72f595ccab4cad7781347ad256bc235ef3f17ab004dcbca34c67e49c97d3d117c5041f28286e56e56dc8d44530e81b68b7f3fa8ad30277cc3ee458aa6

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
5b4e5a1cc28aeeafcd06c1f0fb633914

SHA1
3c0950b1348a428ade16a2478fdd9a0efee0882c

SHA256
d0802cbb0139f509c7578548261f7a6cdba9b7d1537acf6b6a8df7ba9a7ff719

SHA512
5bbf1b0f3efad4482694c20d762d74e03f6bcd6a01874c4a49e16130c2182ca34feea4f6455c243d3848f5b376e181b453cdd5e07615c3b7c4e2f9ba81e7c37c

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
4bf53c6b5de07c21d89841c4d46f6340

SHA1
d8e2da9bf11e1b0426e78d83239cea6ea1d2be32

SHA256
c035aba1049777865c27249ca4395b56f2694739fb61220b5c6e20cc673fd4f7

SHA512
04a25693d1271c1a937a739de701e8ceecb7b28cf0be3152decdbd87ba36959c43512cc839430dd328ce5af1520df0e4d41335c98032055f929edd96f0297dad

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
63c32601f67537bdb68d57b56937d492

SHA1
ee0d863ed6a6bc34c0280f96a335a80720e031e1

SHA256
e5ea716541486ef237fb80b86c73887be4b61b2092670f2e23fd8c330cbe332b

SHA512
24c5e7b4715c6be0fa5f01c8cfeb75bc9db5db5cca26e09ee2b6437bdb03f2eff7f2c6c04dd57dd2c16c60f379caf61bad992a82a4d6242ee57b19d27a3fe920

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
5fcfe29cc94cc0f0dd3043bdaeb680f3

SHA1
0ffcee79534a1389f404ec5ac45cbe558387178f

SHA256
550d1c8606dc201a9efca3136044ffcbc3d606b9321276eeba209a82d57bbebf

SHA512
f3603ab3b0a473ead7675d0e22581b6bdd5a0f38688e5522760668ae28758e29371b384bd19688b06bd5f4019af8949683a3380c03228c434ee576a1b654a483

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
92b4d9d9fc0fac128fd1a0cc8a1b142c

SHA1
6ca608b08125bb680db8b59f7baf762bc1b5e0ac

SHA256
8b91904ba8b37557daaa1ae6cd5673728cee20b3f50e504801ec995b7ebbe748

SHA512
4bb10061a8c9d6bc649f550e5a89c8b27dff55416019eb7daea79f4cb64f2492363fe2c30a11d814869ec9751b6b5245d47d9a146a3fc25cb6dee952d150429e

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
e567f2c6c59b9a48cac5684ff1cbf76e

SHA1
e014049f0ebdff809a09a27b2740d7efe705d9b4

SHA256
823e925fe0237b90454d8c186f4b4cd703ffd73b2827887184013b5b71dc09f6

SHA512
94bbbfde4a53007104e365010b9d6457cbed594ea8edfa08483ed29d9a56c64174aa59b8a0335b208c1a3a17431a878b018556865268e614176465537e81a1ef

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
68d073027caf9954436ce06aea2e401d

SHA1
4e08418f24b9b5b7b3c7d90a4d892d2b3c58de54

SHA256
8530b5c18083a4386beb7301340fec768a9641541c0d829f2e7ec5360e7e0be4

SHA512
05fc6c0b69fc6add2aedd2f10757bef384f0547b9b9ead924406bd9ac0e5edaa00f99462f646aae3b4ac2c5f9d96e6ddcff20df2b60c601a459ee211be7f0891

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
5e97c81b8dc790eb3f08161b54a14a2d

SHA1
30fed06764df6ab167c0ef639a0d95b40c1bb835

SHA256
3056ebb0148f0b135955be47169b2dcf142879d7a41271cee823cad19ba68ff2

SHA512
0c78b6235afcd34c66216950fd392308d7c5683dc736f30d83cc2aa1bbc7cbd6f458a630f281de28d7ef48c5c93d5f7218582a9c23933a62e6ac7c6d1275f187

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7ff86310576275924fa51bedfbabe27d

SHA1
2284c7e10af606956727fc819c96afc4db4b0e3f

SHA256
088e0721d5be4ffaa11a4f2789d2cd9416a72fb63ab1e53cf12c07147b544a4c

SHA512
35393ddbaa92935e73f55bd926071869454d652985bfe142f5a5b843d6bf6179ede5f28507619092a84cbd984115cf8d431fbc1359910b547c19d080d9d35b90

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
708985a9ab430321eeabdc1bcb2b6ef8

SHA1
b66fafb41a53afa729b2b2835e6645e7c8983130

SHA256
63cc8f0d1c9746bdc624978253f71cc001ef3de17bb0a303d826e10f6f5e0fc4

SHA512
b4c5159161406528693cfefdac7477b5b2e51b52f344aa30536fbe25a3c445e1504394b5fdb70ded3109fd59cf980b8de29f6319c0a435ac3ce1a68e6987c3c1

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
d1aed3772ec8a471ea41ae074d74db10

SHA1
ce9d7ad50aaa7d19677fa5b089826361849fa201

SHA256
0e1e61ac319ae7446b54a38f4d76c80256b8825b2d88a2ad965b9859b9e2fa27

SHA512
0102bfe297119ad1b6ac9774319c90cf97ea522a14dcaf1c6bc173fbd0a057aa904d9d30ed2b53b7b1954e26e04b614929a15e89e6727a1fbe35791971cdc753

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
f029b3e0680d5b118867303c7ef3fbba

SHA1
ccd4f28fa0485cb0dae4669f9cc4a8726db8f4f7

SHA256
ecb1f485d7aec6060656855a9799f428f10e6975c5d83182c7366660b065f921

SHA512
66855b307fe13a3ce7dbad5b04b5586bb575164974ccb786e7a004336b7d568e57158dd75d47850d2896185b076a81ea464208907d8d5d2f71f218bbca41df0e

Download Submit
memory/216-215-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/452-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/452-34-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/452-40-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/452-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/452-46-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1064-216-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1240-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1240-55-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1240-49-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1240-593-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1344-193-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1548-210-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1628-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1628-265-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1952-595-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1952-194-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1952-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1952-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2120-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2120-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2384-263-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2944-209-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3420-589-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3420-18-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3420-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3420-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3632-266-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3752-196-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3996-299-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4072-208-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4312-24-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4312-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4312-30-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4420-212-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4432-223-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4632-84-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4632-195-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4920-0-0x0000000003C20000-0x0000000003C87000-memory.dmp

Filesize
412KB

Download
memory/4920-537-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4920-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4920-5-0x0000000003C20000-0x0000000003C87000-memory.dmp

Filesize
412KB

Download
memory/5080-596-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5080-264-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5100-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5100-79-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5100-76-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5100-70-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download