69ad86d72deb4c758d0e355e6845033b768b71e2430dedfbda680c49fc9bada1

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
Size

24.3MB
MD5

097275181b738985ba398688064d1552
SHA1

62128c65a605febe1824d54f6f7e6ab70a757160
SHA256

69ad86d72deb4c758d0e355e6845033b768b71e2430dedfbda680c49fc9bada1
SHA512

06a9ab01a7ae331a1cffea47a61965772563be9127a6b42eb9f6696608cfa92717b10d0cd2b03af575d91782f96d6d2b26c3075768770caea98b449843381d2e
SSDEEP

196608:VP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0186I:VPboGX8a/jWWu3cI2D/cWcls1C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1960	alg.exe
2588	DiagnosticsHub.StandardCollector.Service.exe
3540	fxssvc.exe
2816	elevation_service.exe
1840	elevation_service.exe
4964	maintenanceservice.exe
1468	msdtc.exe
1616	OSE.EXE
3800	PerceptionSimulationService.exe
4396	perfhost.exe
5008	locator.exe
3136	SensorDataService.exe
4524	snmptrap.exe
2020	spectrum.exe
3684	ssh-agent.exe
4296	TieringEngineService.exe
4984	AgentService.exe
2992	vds.exe
5060	vssvc.exe
704	wbengine.exe
1808	WmiApSrv.exe
2484	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6cf1f6da8beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\javaws.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93484\java.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e7d9bea88acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2def7e888acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000316801e988acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000792e8dea88acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000908faeea88acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f9f59e988acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b55eee888acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f54b3ea88acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063dbdbea88acda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000628d27e988acda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f619ce988acda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
2588	DiagnosticsHub.StandardCollector.Service.exe
2588	DiagnosticsHub.StandardCollector.Service.exe
2588	DiagnosticsHub.StandardCollector.Service.exe
2588	DiagnosticsHub.StandardCollector.Service.exe
2588	DiagnosticsHub.StandardCollector.Service.exe
2588	DiagnosticsHub.StandardCollector.Service.exe
2588	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3540	fxssvc.exe
Token: SeRestorePrivilege	4296	TieringEngineService.exe
Token: SeManageVolumePrivilege	4296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4984	AgentService.exe
Token: SeBackupPrivilege	5060	vssvc.exe
Token: SeRestorePrivilege	5060	vssvc.exe
Token: SeAuditPrivilege	5060	vssvc.exe
Token: SeBackupPrivilege	704	wbengine.exe
Token: SeRestorePrivilege	704	wbengine.exe
Token: SeSecurityPrivilege	704	wbengine.exe
Token: 33	2484	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2484	SearchIndexer.exe
Token: SeDebugPrivilege	2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2228	2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2588	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4148	2484	SearchIndexer.exe	113
PID 2484 wrote to memory of 4148	2484	SearchIndexer.exe	113
PID 2484 wrote to memory of 2364	2484	SearchIndexer.exe	114
PID 2484 wrote to memory of 2364	2484	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_097275181b738985ba398688064d1552_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4976

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1840

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1468

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3136

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4524

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2020

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3944

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4148
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6f8fe6e05e6a51549089e55c121e673b

SHA1
60f4e560b00af401e650e00d6fda3132c871aad1

SHA256
844ec2048337878cc1a5e4d7a1e963c0da62750a915bde5d9657da5a015de6bd

SHA512
e32a2c35ec3e4d917721407f6df21bde14c365bdf835faa23e4eec870c0c822d1a73e47b0b16fdd70815ff3d1937927cff9fd39963fbb0a229efb784a45759ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
9450b7c52383161615347f574c3afec7

SHA1
152c9f12f803c2a8f158988dee52c4ef300a7b30

SHA256
c34317685d943b77e79eeb0e6fb3a17040002ffb26bfa6b8eda6331930476b15

SHA512
2a94df802a7ff0828225de077665f0ba51182f3bb62259c5270e7a7f4f3d5731de34ce75e8a365694553cb64cf92fbbb0a737b5824f5ba653be6498b07493f48

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5f96ff584549ac8af478eb3a35909bea

SHA1
02213570c899193285567ff2bad437c777237254

SHA256
a47bc07e1dc2b449ee8af7240b2b4de6c5feb0403a0c671388f7b5b7a612d75a

SHA512
eeb8b91911eb7a313fa88760a98a33fe402c46c5cdb0dc6d30e116173e1217480fddc877213270eef85564f868f5ea0ea63d5a107e01e0337f96724ab1ba9d88

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7525319587c4eb77300ae587e0d9d683

SHA1
24a2a9cdfa62cda8a2f624263cf9f9c2fbd50f5c

SHA256
c04b07dbe56164afab5f1c12c6a540f7b8d3fe2dcd073444c6fc5dbaf92ff5a2

SHA512
e9761d0b5abfc42c44c24372ec976d66de40602ba16fcf8f8fdaa7afc537cc0965e9ebcba65feb563ecac06dd3f867e5829857c0101403855b9bd68773702f86

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2f66e4143bed24215dc7ab3ef8d00bf5

SHA1
4875feae6582d268ddbd2dbe641c4af4ffaf8ac8

SHA256
21745ba207996177b47154adbc9594c6254250b7f5cdbc2748e89cd28c66dd17

SHA512
ddda64a1ed469dbf648b5bd42882c5f07516b8aadbb132157f55696c6b04efca15c9889e2981cd03ea0c761e48ddf3e7e9422022ce508338113da67d53a88c25

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5ab4055aec1a382ad7afdd4e1d720609

SHA1
d4e062e1f799ce57a4d9e705c77031575df85e42

SHA256
8030f1515ba446137b36938659b68c03c1edb66ec186e6468ded3472d1719648

SHA512
d765ba809932dbe297308dc5e1d5324e59d51e3b500ccf940f33489baccaa58f206265f5f25b0d3cca0b47965eb9e183c64b7638a269cecadda02f87173bcb51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
92e527f3ee295e924997d5dae030dc11

SHA1
0e91888289bffc301ed12b1dc072cf8fbaa3546a

SHA256
6540f56ef4f33ad400c38366153060384e699162165cafb5e36fb856aecf85eb

SHA512
6262fe7c97954b10653fe81fc3f31bf99a27f2566e1d3585f4224af94715d81177481cf8c2485d15530ddb085ba0b15e3f84600ad31bcd5191ee7157daa12e5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a04fdbb0cb2b26e2da5dcf84fc329f82

SHA1
a38dba9ba1417cbd30c19fd9a93be75935ad247d

SHA256
e5c17a25a926d343d0a0b7d873f4b44c8156aa89db6549ac4bca9ac1f0920ef8

SHA512
d542c571e3f0eef0c744a5c6f90de20a581beb0069f90c8d7e13a1b9af337cebfb38ebead738839f2fd6ae23b1d0213197dbce37c5b531c5a8438f61bcdc962c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
77a0e401aee1054b2be611f7124fde91

SHA1
b48f70f97ae45f6cedf0fced8e5b21e12c66f3a1

SHA256
29f66e142de2a34e403e1fa33a72eeee36a12ef9f2d8ab0b748007b2b3383d92

SHA512
dde4dc809aa365600df664d979ce814813b6fb52633f193390189210b49cb7eba1ad140fbede6b9a6d1c36a2a81ef3dc71ef34b6929708532f437e73a5301188

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
00f686981d96994181d662e323aae844

SHA1
60fc1f89c9b7f56f761b3cfacd952b41e0953203

SHA256
af81a67db27fce405cdcb4548900f6f241817940216101925294d1ac0e016463

SHA512
569c6b02e2bd2fbf441721cdb5364b3f57d67a899b19e79170e5760650857831a0d5bb5cd19d461d6711ab16694fffab148c819067537ebba7e5372bef840ca3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e8d40c477273ab4e39141fe0e9ef51d3

SHA1
a21f772133e32b4e57a20351eb9117fc35fb5e39

SHA256
cf2c5a654bb34207e9def438bd37ea43e53a7c5cfa09dcff32d73a77ca48b639

SHA512
499ac7ccca95b242450042c247ec00519878f09740f5da23f456735ca7a1dcd265962d37baa88f18c955328df46367df948e59fda4f17c443346032b992d0090

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4ffd1f47b861b433c4756eb529aaf591

SHA1
b53659b71d6ddd146adbcea7322a6cb96ff474ac

SHA256
099bdf4675ae0e3d295bba3a2eebdf08758644163e88db38e2f877bf7c09027d

SHA512
704926d1c7fdce04fab325f67e3c2fae86719935b8797d1d16ba5d77ea28ac1468324f088be038c18faf4070a63035cd624fd2ab4f17fe624e6a96f3012f5e28

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7bce1c1e967e4f04ed5a453e4a454f28

SHA1
663cfc321ed4dd2ea110f53096bcb6a6004ccb5c

SHA256
bc29d6f9ffae8cafec918a8a67512c9dfdc51a521f5b8d7b0de1707ba8355935

SHA512
9c7704fd1fe693796df516a8c79716f80ef0d301c69f1141e725aa59e7519d431a5336b1eafff84647a70f6cd1220bcb1bbe4d34c4f39de95c3ad0b51ab03f73

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
19ea21fb58a14b455304cc9b4592709c

SHA1
e2497cdcb5709fabc8b13c187b7009b065e04b83

SHA256
5ec8a8571010934aa72b1285bd28c67a740144b6118140e3044967f8888238b5

SHA512
36735f861158ec70bb759b502e5df2fcfe332f05559523ee8f9cf64964814ff444f0d39b48ba6bbac95f546ff3203bca4b470b53127a64ec292802ec3d4e12a9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
53ee02f233ed209f7d47542953bc78ac

SHA1
24bdacefeb557ebd2749f1edd7fb518b8b207951

SHA256
127b1d3b645ba9b2e37795998c96a2fc788008b0c40ea643cb1ea45d86acaa20

SHA512
30b09b1df2116129ab89574ac95e793da25c38bd0fccecb062f580e7d95bb37581c6381b5bb65c2dd3f795d96209737acf4195a87442504e6c074af295a74a5e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
0615cbe995521ebb8c67a7695ed99ec1

SHA1
d37ad3fb6c0b362dd9eb62faa735e65aa3742be2

SHA256
122690d91f088470d605274b8b5b47e9c85bbb47baf0a50e1f9d11123f1f2a70

SHA512
79577024b638d271cb1af6488cdc230a30179c1f2989cbe113b2fd43b27420e288f2e66918cda5a9b4a9d61f4afb633715691836dd44e6ee5dc9d0381ec2f791

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d784286edfb61edc9d9623fc48df68c7

SHA1
15ab97eaad4b6c422a377f0e9d8e9861e2934e3f

SHA256
ab9a882db14154fbb455cfa6b25037acfb952f5e20d09fdcc9b2d6a58b3c327f

SHA512
90986119b75c0a4456cee6446aaf3249315ca5c678e46f7f17adff8d9267a4fd0971f6b86b2ab936a5174a9794ac77c667a5b2a4fd9644ab6b4d15d14638401b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3f6c1526527a749deade6a9ae042ef2c

SHA1
a6e84aab1459b026884a3a1003398e2282e81492

SHA256
af5800127bdf11892b11ddfff0fa304b53ac870558d08da12ed2fa471353b91e

SHA512
88d10af1a58cff2e6d3fb4f809a7780343eda18759489dd279c1c22366b2ec12dbf8f8dbe916d9dbe3f4b0c2d53a70363f7f566226caa6be32153785ac2bb5e3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3526866b51e38a98801017c6be69f583

SHA1
95f40f907b12fa2f97c90efde6a37cfebe028fdb

SHA256
a46ae3f9d5c87f6ca9043318340e4f508a6bd0eda75d2e9b51f475f9782ecf50

SHA512
685c89f89b4c8be0a6de053afe09d82fb80f0596a6ad3f64870e89f74437792a777fad28f794cfaac40f3575c068309a0636ca8f58b53f02ce621a6b2648ca92

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
33f05c7dbbe9fa1be9bff922ca8714df

SHA1
c4492694fc26ae0babcab065a9f984cebe5b71ed

SHA256
a5f593e5c6ba395212ad11e85582ad116fd1c6df2e6b1edc7e930079f4cf23fd

SHA512
de63b6057b44da9bcab37a640e395e84e3c58ae212cab4082700d31d5046bc90110e1eb734b6068a5400cdb1346563bb2038fbbaf0fe1d5cfc5f05333cdb0212

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
75d97caee71c09804578c7b17e3d6d2b

SHA1
5d260e94a91111e787570dad3f3ca0dd5740b291

SHA256
5be11beadc174909ceafbbdab0aaaa13767700da94d7612848ee18ece895e676

SHA512
9e5065f4dbfdc533ba9b76b30990494ec7cbd9702c2ee99f13d165e14f62e6e94c8430a2944b8e57792b427c961db6d5ed720b8efdfb221ec532545d91a5ee6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
827f51f4a6fb6c7331d862ebab323fa8

SHA1
9109ff02b1da4d0344a1c95410257873160eadb3

SHA256
4a2674a0d2e3783f5cac84d442f4d403f2bf4d34dbafdfc62b13c83af4d3dd24

SHA512
5d946c1421788b2204d11f50bf79e6191daae51af07950944b7f49a0e3285f41bfcc0cd16524389320aed333ce5158dfa4cc06edcd35e75a07de9b2d3e03c1ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5c156d420d223385c99b18686676f90a

SHA1
efb46e2e34db6c14b3aa9ea229dc4076943e0751

SHA256
0c1dcc457a15bba76a2ec315e9d9252695420d5a7e87fc00f4004f50fcbf4eac

SHA512
307a5546859cf816b44ffc0bc8faf19352025b7358d991eae3068f5d2d9cd61f4fa0a83a32f8b8abd3a2e3db8b283a5631368c40a3e54fbbd89b99b71d4cd6e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
8cb39852c3b1ba4db49d6ac0fa9acea0

SHA1
a45a31841a5fb846145b95a0838a7e39ba3a2f20

SHA256
e25aa02acdde34bb68cddfd60457926ce6e501e9a5fb93444e5aebd3d3cd33cf

SHA512
671fa5a361296abe39cc3bc1fb646e439921f53f302a50837d755fc11069449d507cde1494525ae68b4f7ab867aa945bf9dabb6bd2625b755ebacf9ea62ed6d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ef21cb2b23d882a5847eeb44c3ca2005

SHA1
d6ea8aa4071346d292a27f4dfcf730f6b2c76ff2

SHA256
a0d486c386bd03c50447770a99fe387a4ba08ea0e8686f10c4c13880864beb70

SHA512
590092e4a3f706edf79b893b783e82bde1e54e51eef722103905aa805170c9d02972b3832053e660dfa6e68a5288db680068db2b94773863d971aa920620a7f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
630394ae581a9d118243675f1cf7fef0

SHA1
a95d20f3684061b543f9d339575daed90da72293

SHA256
c5d40b3f1f3821f6d7f4db9457e41870fe3006da1ef3154e639fcd278440307d

SHA512
48df6b21ee2baee0491409cafb67b203b4672b638f8ab49fe96854755c657eacb64247cf6e4fbddd964dbba40e5e5b8a5425e35aa5a91389b07c6b40d82cdef6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0bcfda1e95e90ee178d83faff6cdf0af

SHA1
2fe86ffc8025821a87147f383cfd3a75e1a0e716

SHA256
cb552a8bce05a45770ec41d5817ba1dab35cd070e82a89e52cc9f29a3adcb83d

SHA512
cb8d52b576b8e07ba52263b17479247d9a1f763a5e63097a3306b1b8e22e3df5f070e79feeaea4267d550e51ad2dc04bf286976d82d77a916053794b7c5bbb98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5f893cbddfa4f1e1b71f0ad923fb1878

SHA1
38ae729087f742df19c1e7a302f091cfa0282160

SHA256
5abde605ce50d1d2a8ab85bcd1dd26c9fb5102168dbaa70509208b9b02a8c4a4

SHA512
6cadb3811cad18b7ecba61098bd8d2a1dda446f789a24f64191ff37be14163832e5c1ed7dc5dc5bf066328d379719a78284c0f2eb3ede73d9a0f926eaddade77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
98b04aabb8debff6ff6732397f8e5752

SHA1
e1b4f33a8143c662e854be531b4dfadf9946d9fc

SHA256
1c5100afac9b354000ad80949e9bb130941c67cbceb14f775fc14a7f655c5ca4

SHA512
8d1e85433418e8be2cbc90fdc3b6c875c7e2bbebbd1cd117d8e6359947ef47b8ac3f5e86ee053382e621fe391671944db19b9fce2911a35e2ee94f2883fff7cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
821cc3ae29997f4f4eee888f0316a2b2

SHA1
a5b50c979c3bf621248214b4b447d303ae6fc37a

SHA256
32957fd153a732be071960ebb8a6ac31da0936bda03567e1de9b007abf2c6451

SHA512
7111b9a4ea662bb53316240d82232dff56bdc65c7cba5650caf50b1e97d8471fb26b848abddf22815aea6157d680916c81010c78c113c1e3db86873aaa5add3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
44bfbfe3d59c8d533685a5abdca046ac

SHA1
fb998c77fe51955632a3335686b5deb7baf89fa7

SHA256
0a8659a232d9426569c9ddd3307f5747a0b3e9b4dbac0eaf2e1cfcbd9817664f

SHA512
e57a156991b6bef6fc6753691008163c11a1affe3573208c144796208eba71196ceef01f6ab0bb4d1696ae3dfa6a318c035e0b0611046c677bc3b594bad31786

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
9ea5e85a8c73ded3180a79993c9004eb

SHA1
bce63f013b8c81f006181ad59188d6620aa78a63

SHA256
1505a4d6bb26858aa7dd8ce873219cdad41c546a43dc81e7f66dd636fc8919ba

SHA512
2e64e5c1c1bdd30d379836f9b00e2920d024cffd27a11103ef33226feaae1cc20dbc995da5df8d48130c2711551043088dd0251a62f9ecc80bb08cb91d2ae9a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ade7dd7d3ebb0d399a52c76c61207a77

SHA1
44780a0b25d1c8bf33b8bcea06e595749b7679f5

SHA256
5c2b5401a60c4e7dd7dbc6422f9da60417b39813ab93bcd33610bab98d700d45

SHA512
63822457179f2f7d24c48b6ef8c2fe03fd123f620fa22e629e058f17430b52b1cc7bfa81098f3ca39249648bfc14556cd82e57aff8863db0640b195588e5420c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
06a4af5408c047a22c0a87161719ce8d

SHA1
8113474f0fb3f3f20d0c7c78a9ce6dea4295ec80

SHA256
44f2f41c62063f798b5a6d27a50d07a624cc57bdfc2fccf8b0cc23312e07f34e

SHA512
7b1a9c58e71a2efdd79f711f7c57be1034488d2086d7bd0f9371be885f4ca9f25462fc6d9d5f0a11f1206cf465a7feeaab7bacbcc16a9b4346ebf43eef4c7610

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a3b0730cb6c1d49c643626c6dfba9213

SHA1
86e808a5fe99b399b2d0249ba4debbf721b6d0c6

SHA256
e1865b2c8d54fcc4806f64af61c43098259183d31c7d96b918f9f72ef6eb0b28

SHA512
4735073cb1ccdebea565e0e138623506a2a2a741f09c7676911fcb045370dcf91f20b8e28fc3e8227ffed28fbec41f69ce4736379cc9a780db08ad03d68437b5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
210fb2d92381b37e43f72eea2689f32e

SHA1
a5cbde29c411626a8adccb45b93180496690529f

SHA256
377507cbfeb5051073a83cd102901763308bbafe3426648b9ada56098c830f1f

SHA512
9860a6868c0515469a70489b84b6de1391df4e0182fcea9d516d092bc37b117ea18a389dca8ca28c80215afa30dc3ad58badc435c51be0e1a96c0d0a3d8d71f8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5e42cabbbdf839daad7150f3a9c3162c

SHA1
4eeb49d8138f383376eb745d91b5c69e0f0603f1

SHA256
48632cbbd6ae8b7d53d5c48291bcd30e80c82abe067ad0e5843ab460b16d3f55

SHA512
6aaba1e5f0fa1543aea87dfa2d9670ec2b9496bdb884d275efa68bb701ea3173690545a5509e1028f5fc9f114fe0673f4c14327c62a1882de90a67ab858e6bfa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
490ef502d5b31ecbab3c5da9270cc76e

SHA1
6be682849563eca84eac035f024b939dedb2b597

SHA256
4110292055483dbff146a7bef9de5975618f468d40413f695c3833af350c061d

SHA512
4e3de6febb301aed87c889ed1efbc27da47841132ae9064a7242c732f101792f859dc96c861fa7d4a19de2d30d4ec40e3af84b19290922e7d0c8997041c81d4f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
68fe323f6fe2a85e9ec517129468bec4

SHA1
2f51da33c69cd24e2cfccc8890205a19d60ee415

SHA256
3130f03ae23f3a7fe047e69fb893a2fc3a7f83ca91c40126ea33c206aebb309c

SHA512
d2b423469ab4e09c12d86a176b7cf4b1599a31f8885223129638b3af1bf54dcde57174385e5f26a3225cdae94ead7252ed6e00e3457c68a87e935837b898b374

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c441a6ebde8b7fc4dc4b77a6db393f3d

SHA1
4df84e486a1d8b4dc2aee22368c9abc6922a3f1e

SHA256
8e94e081127c5cca05355717146059eb238d3e7dac406e7ccd901a36d895788b

SHA512
9235320bc1111bb7b68d15be590394e67f57376eadaf7b8316f3c1dfe778e7cd1ff122924dd7dc0eaa0a0d9519526d308c59d8d79753d612a06550e0638e44ad

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6ad14f4176e1c4e8c9ee5064268fa743

SHA1
161525458b030be3d25ec626f43d0426b09f725d

SHA256
b0c61c1dda5543450c2b0dc996d175998beea16182bf3136ae921c04966868b0

SHA512
40104b9db28f3c030bbba5ae3d6855d52503a6de98b2bd3f9a4e994ef07f51aa214060aaff03cb5cbd4e13043eed1c6a4fdf68776952c2d0ad86d3798161c41a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
00caa7386b818c37bed89d87990fd220

SHA1
7ee2bf6736b010c941978244c153b591e17d39c4

SHA256
816249f1e3a8899591cdebc9d1362b9e6e5a587cbec28a4f88f4aca6e8e9af37

SHA512
f45fe5c280fa1750aeeb50ea84cacce13fe12b51b06b688fc88c9c398a0151bc94ec6dbdab828312d6f71a1320fdef6986bec58c9209c44948f83679baf860ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
8fea8b973d5e51158e283a8d1f3ee7e7

SHA1
c280ef0a595969e0be6a01a0cdb4db705c864211

SHA256
7b373531c6380df2a3440c6da32df8a5a19ca6db5bffcc2a23f3fe2e3edd3473

SHA512
5585ae23d94d00c6d4f6985e88a3f7a007849a014e79f1fac30caf893c60d1bce361b0467fa41c16b907d712fec20bd7aa56692f07c0ebfc968479f7de0723d3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
903835b003e4402b56b7db73877397e4

SHA1
ef0d08c34a1246ee1efba96b0239925d3e4679f7

SHA256
5fd188bec6d9c598292eec9041af31da0d8fa7abc5305652c06689a51b195f15

SHA512
89a54ec98a4c48b77786b8aaddf4b8132b4d8e194602feb6e76b59e921e1758b3105528bbc009c5b017526deb0129249db1f1326f86454e472b6241156cc890a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1f5f10b00705419a690d5ea251b1dd3b

SHA1
3630370d49768da49701d12ff835374286cce226

SHA256
7ed79ced936876b9953a901aea7b0ea57ea4492be238f38d3f45788d185095ad

SHA512
3e85b421f3a411f37a90e493c5ea256d260719f077d779b5a98ed37f63bf59758e85591e7bcb78b3e16be5c804a412b68cab738e401a43508bf1df6a19b997a9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1572c0256c9aa1b0f39c4ac493ad0206

SHA1
3499faa95324ad5d03e0aa3e7ac984cc3f47b22d

SHA256
a7aa3943ba0eaea94e9ebf345c4b42e579fba7e2af0aede07f837a44b561bd6f

SHA512
829fe0d4d73a41f6d97406acb9157cdf542d716aa540818519b5bd9c20abfc1ada08851fae0159aee3f78a4e4c83d1163de8eab7a7f962f45e2eab8e6b95bd7c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cc746ed7b611ad0165aa42c584300515

SHA1
bb418c5fe0444dc9b67ba7b0ea36b82a13607097

SHA256
706954d9959cf28e71d35826705a124d07455cf9afa1ba94627ff5c6f0c7a076

SHA512
5f6cf5f51412589682d4925cc13a2148f08c40bb829420862e704e02f868f5eb021c0e6b8340f553d3fc2645e3096cfada138d0b6c6fd3e3af7f1214f87ab03f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b10c79f402290a59648a37d9fc6e7eb5

SHA1
ecc5bd753811667835bfa89cc3db92c6ab3ec628

SHA256
a6b8bf473f4e27e357f2c55104d6b7ce4b48b6ab404b8c9cc8a83fff7ffce6ec

SHA512
ca9868f4591e61f0d35a558dfcbf88473e5c563d9c8a59c61b7a6abfd3287ff56f990e70465df09db93d117c16c9202854758d344a6036a71d0b0db2a2013348

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1e62cea71c8c6c175d2a169116b12338

SHA1
516d5e8be8e4119c5c0142e5c4ad86e70429c03f

SHA256
2d3909a14998ea972693735ef48e2c80267061bffe00a4a070dc154219aff70d

SHA512
4bb62796cdb9c021f7c49a7a4f1850161da13e4ef8cb4904e816aa0255520c21d337d5335de242a946dc5387da5eb12c347216c612df26b43f6f12238f080212

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b009a373c7078de05fb48896dcbdea49

SHA1
54013003942b98cf40b6054a8a223663825c5ba5

SHA256
6cde8bee3f94ff74e25acc1ccfa3c5757326d5e8251ec3456ae5875aa498a3d0

SHA512
dc4e3fc30fb7836b16ad31dc9fece0a7029d6ee84feb7f48b4de04b1edcf4ec8356ed930cffec411000505a5c807a08f42adc51d14296e2b458acf3796945c24

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
26436a48fed2802a07b2a023fb519512

SHA1
4e258448bb14f2debef796d7bb1ddee4eee48da2

SHA256
7b62d0c2a1a90daabc8337ff0f7f385882fb4ee852d41757deeab460e8b8066c

SHA512
a8a8afef6c5412ec55ef3a776f70474f06d39d7540efee052caa591868c96db1b06ed9ae3e9b02efc2302166a93b1d69a773e1e69477b055a9890ce0a1b11828

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5268e6603c0c52d5b6cecd257c8fbbc3

SHA1
2422c5b4d92a384584cdab8c798a7bcf7492f0dc

SHA256
954165f435dc33ef1944a372310ac70ccd7245b447a3c4243e295dfcf31e7bf6

SHA512
d6aa7ba81b3b28aa791adfafc326224859cd66442f3e9800a751b4337c4d389484b944fbfca479805e3512b174eab45a86c9fca8ed94de1e65b21778af7bc5d0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
65a956852c474892718521b350aa6b63

SHA1
71118d5ebd1cd36d19edf51cbb0836bcbe54cf49

SHA256
a2ef97027a910983bed05bf36bd0b38767558e69d1962ae67aa2733eccb99477

SHA512
43c3d53847265feb9c17ee8e130237f0c72d78c3f8d5f0636055b360b75552d4e542a713c205b443b8ba0d901befb5ddd0b4bde8d7b8741cc201408bf7d43650

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e62dd11a41a2a487fe8e516fb93afdd3

SHA1
f5df464202e97c95cac926e9b8e874fcca0c3bf3

SHA256
6a182e5445294ea69a7009f51a118939994d2be8aba5046b232146558b1a609a

SHA512
32fb4add40e844639e1e7a7b23f9f625aca5abc69a42aeed6ef46404bd27c289ac59ae6919f07a11ff814efadbad50891be8d6da0dd42c959fdde6aeb582271a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6afc01398f052ed6992b7b420ddda9ef

SHA1
23698104d4d63fe67c9683998857e64edc23b735

SHA256
217039c7ca735ba5f417923231cdab816386ac8d3b39df524cad36b97b092f03

SHA512
b90ebd6dcc6f3b9dbf5f3ad0f666d260c862a8ca544dfdfc88b09c43bdd3fcf7e7e7474e709017128fe140016fcbd5f3f089a97320cb708c8abbe7d3f2f65462

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
121089c60359b9ebab001c98f3b5fe04

SHA1
19402143f5c8639cdb707c1e3c1394ee22a62527

SHA256
7122e2aaeec6311c42d9df8c4bfffde9cd3bfee9cbdb2f8f237abddd7cc82e89

SHA512
a9fffe33d70d57559e3834b7a36c7894f6f9673d94b20c8280ea187f21b11fff6f024f5726cf549b86b8b88a20ee59339c1d577a7b35cb5c3255c6d4f7e3ed6e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
0be348b447ef3d23d4f55ffa0d40afba

SHA1
168056a3d79d3662d80bc9a1d4ae8b76b248a2ae

SHA256
530a0ec2b234a35b79070713c52c3ce443acfa72a8530a23b0408cbd22cb831d

SHA512
5740a7c7088dab3d452cec29180f1552e742f944fd54178b9d8d21678b725f50710336aeb19749986809f6349cb615623afbb01433fe1c9b02d9c4af6bbe7172

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
56f38b0c06294fa6d04fab92d21bccc8

SHA1
535ad488aa3453c5292f8274341b941537a6668d

SHA256
41623f3c1d4941222aed2859912f0904bcf82b81dbee8c02e589bfb0b77d99fb

SHA512
da15e35a81b52cf8f70b9aad458617dfa2d770fc42a89c9858440eabd6c8bea7261a094dc6fdf7320f3cb177904ba7bd8d9fe77715c1957bfb673b647262b8b1

Download Submit
memory/704-160-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/704-422-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1468-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1616-77-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1616-71-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1616-95-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1808-163-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1808-423-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1840-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1840-144-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1960-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1960-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2020-397-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2020-120-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2228-91-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2228-1-0x0000000003C80000-0x0000000003CE7000-memory.dmp

Filesize
412KB

Download
memory/2228-5-0x0000000003C80000-0x0000000003CE7000-memory.dmp

Filesize
412KB

Download
memory/2228-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2484-424-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2484-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2588-114-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2588-16-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2588-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2588-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2816-37-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2816-140-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2816-31-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2816-30-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2992-153-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2992-418-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3136-416-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3136-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3540-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3540-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3684-141-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3684-415-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3800-89-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3800-83-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3800-94-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3800-152-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4296-417-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4296-145-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4396-98-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4396-104-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4396-159-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4396-99-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/4524-345-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4524-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4964-60-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4964-53-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-54-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4964-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4964-64-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4984-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4984-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5008-109-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5060-419-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5060-156-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download