be9bc290debeaf1abb77f9996300ab5060f1555a142d3603e7ea1c032568d939

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
Size

24.3MB
MD5

f7df312c46e9e1cf941e93703271c91e
SHA1

af8e8f033ea2a51335583dc3368559eb0385e76f
SHA256

be9bc290debeaf1abb77f9996300ab5060f1555a142d3603e7ea1c032568d939
SHA512

027ed1af9aa51af9e10415f719df409e7ad8ddca6ca3e47dafbef3d4dbe2783a48cf033a2b5a382a9a3112c82abf669cf8baa7b3e8d254f2c1cae3dd5a52677c
SSDEEP

196608:mP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018B8:mPboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3708	alg.exe
4296	DiagnosticsHub.StandardCollector.Service.exe
5092	fxssvc.exe
948	elevation_service.exe
3480	elevation_service.exe
4852	maintenanceservice.exe
912	msdtc.exe
2220	OSE.EXE
2332	PerceptionSimulationService.exe
5104	perfhost.exe
1524	locator.exe
3300	SensorDataService.exe
4864	snmptrap.exe
4808	spectrum.exe
1204	ssh-agent.exe
2272	TieringEngineService.exe
2344	AgentService.exe
4852	vds.exe
2948	vssvc.exe
3716	wbengine.exe
452	WmiApSrv.exe
4328	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\76eb2ffa293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exe2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exeSearchIndexer.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f39dceee6adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b9398efe6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f2850f0e6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec41c8efe6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005eba9fefe6adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe

pid	process
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	5092	fxssvc.exe
Token: SeRestorePrivilege	2272	TieringEngineService.exe
Token: SeManageVolumePrivilege	2272	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2344	AgentService.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe
Token: SeBackupPrivilege	3716	wbengine.exe
Token: SeRestorePrivilege	3716	wbengine.exe
Token: SeSecurityPrivilege	3716	wbengine.exe
Token: 33	4328	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4328	SearchIndexer.exe
Token: SeDebugPrivilege	4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4932	2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3708	alg.exe
Token: SeDebugPrivilege	3708	alg.exe
Token: SeDebugPrivilege	3708	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4328 wrote to memory of 3880	4328	SearchIndexer.exe	SearchProtocolHost.exe
PID 4328 wrote to memory of 3880	4328	SearchIndexer.exe	SearchProtocolHost.exe
PID 4328 wrote to memory of 4536	4328	SearchIndexer.exe	SearchFilterHost.exe
PID 4328 wrote to memory of 4536	4328	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_f7df312c46e9e1cf941e93703271c91e_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:912

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2332

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1524

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3324

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:452

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3880

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
89e7a9c348e0748cbb6b3242aff3200d

SHA1
5d6d40e919980dbe2a01aca1eca206a7a7c34c28

SHA256
66c95104896593a20996fcdea936d503556fe04a2e75933c84818e42b1d7a8a2

SHA512
ba58acf103eb84ab07514544b5788b84226d698e9e6e2b3a8586e96f4a0b856a505383ab78728fb0119da8e0913638ab35baaa6a4e2a6dad46f19fd0254d7b9e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
fcad82881e1a9c08d39abdecfef7a100

SHA1
9b000476b16efcb8cc588236c698221f0d310bad

SHA256
74f23873a3f47653be2c0d0543e19deccb4f8e129abb4e137066c717224f6ba6

SHA512
c665fa496af5c37a83dec5886826c3d8e18cf87b2b3d8acf7131989972f3db8e90f9659e257d07670b34bc0f7cd4fcc123a55442c2d6d29029762cab89bc3299

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
6915087591286820bdf8b090ede6894d

SHA1
e5902d49cd2b226b758f1ac6d2882cc98183b9ad

SHA256
799f12714a40961c30519179e1d0ca1bdf0ba9f4c81c5bcfdc767e3805cedd75

SHA512
105178ee6c4c2784c161997b063c913ee0faa00acfcf70693faf36178c19556b598af9d230fe298e11ac1ade7c8e28b199ff5f524e7c875a7810d4e3db24fafd

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
0d8903e25c08a1f4a0c7292d691b9716

SHA1
24ec4a975caa818ebb9feaeb19a1080f69140e0c

SHA256
f5f5bf7d4f8f4ead9fc4e0814ad924b74db52982751f2bde2dd3fb1c28abf724

SHA512
4bc8f6cab096bacb51040f21b7643506421420782f46821640600e15c7305992c3551dc53937650cd291fb13ee92d2debbe95d0457bc86ae7efc3c5d0422ba5e

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
8dc84b6abed2486d66fd09adbcd8b901

SHA1
f6cb549ea3dadafef4e0f766dd6e3f01c851432f

SHA256
24da295d209e5f93ea12c987396a16514012c83967959a521902593622d1852f

SHA512
43dcea00c58a240758a794fd8e14adcf0aa7d24cacc31d921938cbe22a2975ed143de3f6fc18509f1db20d3e9ef1c4700a265932e9c8fb5dc82fccdc184c47d4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
884d2694a8f9f5c65ac7dfa170ceaddc

SHA1
c2e6efec090b167ee13d18568b58e8a655a6f66e

SHA256
c1d91d6940887faee78eb238a5c7479fcaca413f48ed191848b114592b111499

SHA512
e2fc4038192fe82d8ba2b531f97fda343bb5cad14eeb05debe226f08291a21505a19340c0c1189058acfd9b3c58c375277ac58c25de1eefdec9f21410a86eb62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
7e0e16a819c765be153deb91d26da364

SHA1
e69bfd98b011c7b2276a9fe5fd16bed766b977f3

SHA256
26f38206cb53811cf38cbd85c717e351e0d17788fb12ad4ac23710db0ba165e6

SHA512
fa929feaafb804157e1fe77f6342ecc0fb3dbcdf1f3f87d56bd0a41cf4e886efa0c41eb2cabc464474fa3b76903917533c139714a3b02f39ca203482f19158eb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
970524f81d58ae7ea8f2d7563f8e813d

SHA1
88c2a0e8ea4e7ca00327f9cdc2e30f115af97ca8

SHA256
d10d06cf9dc38c013180130871d9de236863ac8f4080a8734c9424de39318e95

SHA512
66652281eebc2e41b36614adfb60ff842163c32b0e817c111d638114f81ff5574efdf3f9a0ca9d03ed390b5348433c754fffc39119ce8fe010931c51e8b0d147

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
0c5319e88300de825deb27abac4b07a2

SHA1
5c9428a62f48816f49dc1b9f1e28d7c1d3e4b8cf

SHA256
e24f3994168b386bc69c98cac35d34aace4527013bc8cd8cdc452230e949f48c

SHA512
5c3068055ebb8e7b38f4d1a73b41d7dfcd9a595d8cc3c4c45b6644f70425d350dfa9b90db297f9417963c5e957824c1a323d4d20e6481316c00237cdc0046f2e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
c831034636390d0f219b5f7af431df10

SHA1
bdc0a24630afe5b4ab6dcaf8d912a34b26e58687

SHA256
aaf71de0e02e071a0b391b0c70bebfcf728924d2319dacbb887f66f3b1bc0638

SHA512
17020bd5da5786224eabf22ecf4b49302ee208aca5e6ba9264b0b00cd3159adb46b14f1dd171dc5a499c3fc868dbe0bffc8e75917c2f9e6394ed6d59cf960274

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
973a7e41faf743ac7be1694529aea819

SHA1
37fc497d86ea75371ce8c9536fa66e183ba1d66a

SHA256
6c31bd952b4b2de3d25e91bb90d9db97d33e98ac016ab298d4f362a6999c8f04

SHA512
b1167cdf351f214f3639080b2eec7b5eaf00dcfdc45043ba7933224ba364fc49496c3e915790cf805acbbbb22b14c6f12cb71db870e655b6b2f4d8c1615e09b4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
83cf711099c9d62934b16ec090498aea

SHA1
e2ba1291fe5e1340a1f6dd20d71472458620254b

SHA256
fe90c1db66869fe9c00f529761d8e0cdd31fa58330b3c1774d670dba75eff85f

SHA512
d127556d7327d639fb8a7be2d3ab28e20624ca4aebed08fcd4d9fbcbf20f3df467dbe57b274ef22154a468a1e0e9e5b9d62a39cc4e181b87994aa0e47dddaa1a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
1a488d7aa979f182fa32bc6a13b8ad92

SHA1
a4e5748e97f62790501e64280dccc3a1dabce6f4

SHA256
dff8d7c9f29e8795e2106a447e40a9f4fd6b589dac5344aa67cf893f5597d7a1

SHA512
66ae6d8fa94f656d790a565e89a6033883baa6a38adfa26ac8550a28080f64aaaeebf31e837b6ff682f02b66c53f28fc483d5ae18f852d40ab01d9c20aa23a8e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
ca5c8da2bb278e92a2eec4871228e747

SHA1
7d6e32f4b93b6d01b80d1df03e153978ec333275

SHA256
39e8b8f32074ce6de24eff5bd9de923a1d64d661c0938183babcfd32c8f6cb79

SHA512
a17208f2e59f6af6c7d4bd8c918cffa171ae4cbdcc97c21564db0aaf3c7d09bc6b23f06e31bf08a3c630d810cf3123bbe6e285e06987776ef3108d143ad8deb6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
5c9237bbab3348d94be45c24eee7b747

SHA1
ab00709a8a4221d6c6218323372fd77366afcd3d

SHA256
da3d0968bc8bae9f037c7d48c3ffd549fd6ad3da6237f448741ad701da97a146

SHA512
aadca3742690d63d08cfaa8451f2f1fb2ffe1c787f3e97070f4f026775a006254c63eefbd30f5edfaf7b684f4dfcba1d4a9e96d38c7fc794c0dd239021503d64

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
39f03aa1bd0f2e462d51cb6efe1bf2f7

SHA1
5b22ff029bfbd462016e3d8568d26cff9558d271

SHA256
f5dc509119cc021677e1e908a7d0ee9906aeca5a226569113b600d4329be9823

SHA512
e6e44611e7d87fea191a0791ee636781073178a0831cd788fef67f75fed81b2b3c7aba28762181aba01a912a02e12f95ed1e0d0f4591716a2e6c737e392943c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
c5f04e8af562b792cb5969327a98d032

SHA1
c0170c13d9520e7feb3de8c341560d70c74585b4

SHA256
e0aad173ea66ee93394da1ccec402db434cddadc510d6558ad6d20fdf2197d44

SHA512
dbc5ace8da8bea844e7e1c56593cfea2281b3d713d77bb20b04c1f5db698e8dbd53f80d51a3d42761d3502f3c3c5feae19b46b22e5032f614cbf5fcb6441b7cc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
ed176841034fc7d4a51c0ac4217106a6

SHA1
9fc9fe52eb02cd3451cf9a1b2e9a93a4e73362ce

SHA256
69b3314531f06b4ff36bc1824db938db2860b3356c367eb8a98a41f835abe063

SHA512
30ec07dc9de9d5ea69589835c3fd2f3f3b3a220afe07693b0ecc1fe498e7ee36758b6216ac2cc103432a46d35a794f481bfdfcf4429fff182905470247237bb4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
699b66ad65f8a2bcc23e0f794b0b337c

SHA1
cbe1168ef4d96b260b957862037fe24bf6bceb71

SHA256
678837125a82fd8a9f13b37a91576a8d5d920bf7fb2cd63cf2efa05e1e2d9389

SHA512
0a3b6a3a8e1d30cd6efd92d4d853308ff97fac4454beb27ce7e1ff78619f3f72b01720e14ae922457c2ecf5cf7af1430f9cf3aee32149d90c1e73d5b85d17b26

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
a5caafeac1a5e8e6c3017946439f279e

SHA1
9b3f5afa6d1113bdef4eadcd711320bddb1bab8c

SHA256
76cf094badfbfd88fe18608bf6459f0fd4e7343e4928be5a2861bf245b4cf0fe

SHA512
c2c28d17a71afdd33435a3225c77e1187f2b1f152242a47133839416cdee904b741ff6cefc85b9dafd6c0b51e162c581c868da6f9713825b7289dea8be6850a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
09dc0e7d8e520d665f1adf74d61ebabe

SHA1
38f25a91fd3529574549c28df96616a0bdf5ee81

SHA256
c85a59c668f3541fca2450edd35e1bf6259e8d746b950816b382241f508173a9

SHA512
19a8fb2efa3ca38d3bd1d6fdfc496f11e2d36ba15b99ee93368e6c9aea64ac1f72de866d3d3f36037e8f9a664cd98bad0a936b247af552c4ebf84dc7e0f4ac66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
7b4041b012da805abc84aa90bdeee6c6

SHA1
50194255de9dd289a06c283a5e2baab383590d04

SHA256
44d9712d82e38068036411ead9bda05226636c77ed767275fd3a983226782281

SHA512
afede96b25b0c9fac12e2e0cb553fcc1504847cdbdb92838836d815138f313902c79f8bfc6390dd22fc2fe1508b776c26ce59cae5967d851a7ab0e993b193dd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
d6420672dc6f0378f07047ae4eac93c4

SHA1
255065317b641b1650b1ea6bc546ccd174e8db6e

SHA256
37555814ccce3097a0de37f90e7b23f7ddbfc747f0691d162e8d45cf006ac0ff

SHA512
811ff4f599d4949c44a1f3d287fc387e9ab9db93b50cb7087f78a52050a535dc84d69a63e36132268bdf0e565f39fe56a410cae44a3df66ac99301ed5823c2dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
19f1e09b0c2cb8230d86313d55cd793b

SHA1
ad1c9686a6154dbe276f04c33e3aca13aa844bf1

SHA256
ce8c134fe572254eb7d5a5293979b438da2e97dd190d0e56068b13d67e825648

SHA512
3c07bcbb749dc98600185ce93045be67066b53026f36ca5644dd129d2f913079ac0e43f65d5385362fe9eb4e34d8e6f6ad28760da7cae100bda9aedbbbaed973

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
34023ed1298558c043aa89f49e26eea9

SHA1
4e8ae8594d5da10f1ed80d4f012585d0a0cdfae4

SHA256
5b5dd2593945c61c5aa826f5f943a34da9a48860a92ca5ca1add81db16b84ca1

SHA512
c16b49e38481005d6826335226ef4440d21b5f6837f920c4525630872bfd280954ebf6c79304e112aa3763329a49ade20c642a7faa783bc9b31ee605c466ccd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
f27bc0bbe075a95bb3643cfb54847435

SHA1
d3cba08545b89b8b769f83290f1b90383786b1d3

SHA256
55f7fbf817324bd375d14cea8b05ffa5abaa39786610cd4afeb5f4ee965b441d

SHA512
8b88b288f395600b81995fc0f27d2c47c528ac3198c5a11c7a02e14199591b8393cf69a108182bb364d3904f8ceba078dc9f2d6d20aa639757752a6a60821e62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
ebbfb3065ecc09f29024d502a10e39f6

SHA1
f22ea733cb941ebb16db1f93cda30415c1842b8f

SHA256
d697e99c7b5f68c97eef60e81adb850a8ab7e3fea1ff5756f709f8464a908005

SHA512
b6c9a673d0388fa70feb993544b2fe1939aae5dc15d0ff48cf54dc88d689d331fc4bfc8ab8c2559f608445c084d9193b70267630bf68a9de1d767bc57966a5e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
5a7bc740eb61447b9be462af33067792

SHA1
48a0969886a4e28ca47c49ec3aa68c2673782266

SHA256
8d8d7594a965a5b85e880b85eb21c275e9d4b40be0c6f86b0701f41dbdfc23e4

SHA512
0a54f5575596768772464f3c1fe62ceba48f70401d5e26912357333034392d1b712bc60ddfc233ade259d1e8e2a0b803aada08a0310554a204f595226c4c06b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
9c44a73f384658ba9a85a5af773f42dc

SHA1
f1cfb2e31a328a2134f49a4feed474cbe0dce648

SHA256
29243ecbde7a83ef5c56e60b3611b86b3ba18addc59cd7723df923d9fdf2ac18

SHA512
110d97a4404f0689bf2498fc79398aca79f9a3c7bec1283647b6e11bb169fbe6f380b1c0cecb879887d83d3f5295425739d20aae44bc2d0ab75cd5e90c931331

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
87ac4b22ebccbaa090c7977452c59d40

SHA1
77faf2140a8792a102a86e4b5fafd71f4dcf33d5

SHA256
fb023f3ed52d1cb2c2ecdff55b114666c65960a3e60e19ba68be41508410b0db

SHA512
11e95ae691bd29677dc2f23aef04f6d274de75c77854ba31a67a40fc77964004bf2e840ed684d70a163989ac4e8c64ec6a09d87eadaa9e3059263532e09ea67c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
ba1df8466587662a2dd20701807a5d33

SHA1
2b7e32f94193c4dc70ef32c763936cf3dfe4b539

SHA256
8197ded064f7c698a98df7f4f8acebfd663fd97d66512cf6c37c9327df38c1f8

SHA512
5fbb6069219cc972afca2b33f2bc4bfbf50d51444e68b5582a0138079bfd1bd6b2bf7c513c91188083be78ec54fa0058f0b20fb8c405034b22a51964cf99eb34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
36a109ad847fe375e517b2aea4f6bd51

SHA1
85da1b8d0882f63109d0ddaf09270f8f1b75c8fd

SHA256
ea6dd2d286f72aceca8315816c66c7a7585b9b38dd4f5b805eea88314d541603

SHA512
0be39a5aed85b413120f2c784408635bb7a4b8a7de23a6e0738031ec57a63be67572fac558ee308abdce660bace1e8c7ea4000102f2c58f6cb8a9191cf62b360

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
cf2fed47823b10b57b37010d09b9e76c

SHA1
4b81b186ef62bb38d0e651c8bd0ae2bfdf900137

SHA256
8c76522979e7dc5cb01c92b90be64aab895dab471e5eaa73117c17e5eae0de96

SHA512
62490e8a40d09dd5efa8fc52766a7dddd32b2b13485c4718fb50997c57e98f39b95069695b5f021b9540268cc98cfb3b44c7f4e2a784c03a7753e4faaf7d74ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
967f68e25c728008f060a95cce4531d8

SHA1
1628a2eafc23355c0aaae2902868f738fd41f616

SHA256
4f5cb4c038c9770e51a615d1a44f1fab001a7db3677eba917be0e9d5d055329c

SHA512
39599b2b255d9fdbb330383cc33dde5f4ce17aa70899aeee3d5577ba5b59411c377b7243bbb30c322e27f5489484b5319dc19e8b4e29d9980e36aa87b1f3a51f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
5af5cdc1dcf5d800043b4c589fec86a0

SHA1
4f8a798cadb4780729ff953707a1860cc045bcb9

SHA256
370b1250f61c303420a4e1e3103fe0114132e85d96a282df55ff8da96744df74

SHA512
b418d49f61ea78eb1e24a249ecb4b3939cd71f0071a131b8d5f90d4f3bade18f1d30e7e49e52daa1df6bb8746d2c8b848c7d7db3b208891a038fe712ea82e35e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
6f65d47e03d0cdc92ffc5b3cad425ec4

SHA1
c358b77ec60f58fca7544496e376d9735087d8d4

SHA256
b9772f31280024046a1c176427f3dc83228f17d3205f6dab6d6bd02aade6909a

SHA512
9096e30ebb02c01bb960f541cccbf4de5fcbca06f7b448e9e26ee22428cbafd18280cc4fb019f5a5864266f2f7cc39f0f4eca86da42d9f5c51f79b79f8193601

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
0cd72802fc6130aca578ea6491e47cc3

SHA1
a4f640c4c6571e8cfba4c7cb4dcfd4598204b307

SHA256
d61674d8a2e8aad3ea1abb1b949f1fb75cc71c51dd5e751c0d8ebbc2e1b647f9

SHA512
effbb4b185d0e29990e1b28350cbb6fb3492b649bb8c501ac6a7e1d300ddb6e6ad85c1ae6f169388a7ca32d0c6b84658bf2b6ce8ad85ffd83ab726268eb5147b

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
cd10b3ef2ee8ec0803566483c6a4b1a2

SHA1
29570b807cb6323ffbd92c179953e0961e74c303

SHA256
24fdb9d143cfc38620ba0a1a63781443e7c44f91ba5c2849fffd702726acca13

SHA512
483654c5d459255db5c91d90e89eabcfae3fdb60902941162290c4daed74b3e0137dd541813b86a1de3105b0cc71525cdaf496ed34068e05661bce3e3e9eb07f

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
57d12cf5821e385b544b16173acf90f0

SHA1
9f84661c03a9f0017cf45386c49714279ffe6553

SHA256
9fe690f32aeb6bdd720f3bd8c7eca05038615be432f83c9d971d12398cbe5bcf

SHA512
d5cdaaccb19cf1bfe857e8a19df5f832a66f0173fc58c7febbff2d4e941aa282735d3aad80b14824336b5dbdc41029641e5eb24fd09b5c48476b4cf6ce9aae1e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
68cb7e45e03de135cd09dde2c2d486b5

SHA1
68106e54ce02749326aef604954569de643c933e

SHA256
36b6edfd5f42799295cd185fddb5bb4f381ae1dee4b4e750e29222142766507a

SHA512
22dd3a0c52b37469d0064109898400425104ee20c44b9d575d7b8e47ce41a08216893d79728cb6f657df5f9815ba7a02c307d4f295648d27b9034a0433364da4

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
809ed622119702c93aad453c4e391d6e

SHA1
493f5f8234666d22340fede10403f2bd248f6f0b

SHA256
98ccad088f46cfb3501dc1e3de8742cdbea92cc0450359be6fc8dcc950b9d273

SHA512
7ba5b4b513fc292b750db0820f39d11dc5d82f5729e6c4d2655d92899cc1abe30908b93a762892ff5ada814d08b1075d1d27454aadaee48e34a34b7b1bf6f036

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
1d6a4a7886dda1012b46ed60c8676c7f

SHA1
72b96c057975d2ae1a0225d10ea6873f8fb1ed19

SHA256
1cb3f0670a05942d94df81c4a05037b227790873117ade4864388718f548f5e3

SHA512
e14da1f615ee6f6f25a6e59a36bbcb09f257b686818cbc41ce96d28912c40e59bd012e931f67252413416ee383563ddd99699da0e27ce2f0c41640e3dcb40094

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
faf4db2703df5f212780eb8cbdb5deb4

SHA1
dcd8f7ba820bb1255ac278194d5be4847849b5f6

SHA256
ca084141424aae4ac5a26ea25ea6ced20136877f59a7abc514d9774a7a085b30

SHA512
2d0075408bf1150235862471c28c874a5343006d8925423875056c95d2f89165fbf4604a98820b5d9b522770b3b11aca688b372f5e4b34d39b92637df1f6efec

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
063c48e6863f1694c07bbafc484246ad

SHA1
47b93fd6bc64ee1c359f7820387ee91c6bc39edb

SHA256
dc6ddfb512f9d6955606f0e9571c893fc842c19b72762ea8695e50a52e45f01e

SHA512
098a0763e7e85a6a6caecacd285ec409d67df8afd856dbc001922059533bcfba32bc7338b722f0bba828d2d0dd7717e1bdc0dd20002766f9e1fb1d2fbd7a1e3c

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
b9353306062e7efc48e506173716799b

SHA1
1f71d900b33ecd697010b943dbf0c72cae8ceecd

SHA256
d18da455e35048718f0e944f1dd77a7f8455772c7e641b6f8b244dacf9da8445

SHA512
5a3b77299f3a404f6095ec1b13f4686e06d3e0d0bd9c98952937fb4632fcfe1a1ebc80606dc33b79f9601a5029a866cbf6e397963c88cedecfbfc40dc62cf206

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
2275741f25959ae86fe058a97e936f7a

SHA1
34162ce2e64ae7f6e119664d55787ec4489fe5fd

SHA256
d86fa681879fefbceac773e974097f5e7163c409bd40af043a68c5cfa4a11f1f

SHA512
3b762a98f122cfac221e834e5a76ae3cfadbf5f5307a43e083608ba81eb8b07b24f79d2c12609c6547675204bc5a37ef8d82e28ad0fab77e2b1b3eca6a5f2b52

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
18d6ffe9080321d469b1d7dcbf29b872

SHA1
368109705bc6d9d12319076f23778a07d314e6b8

SHA256
d46fab6f77abf3da8f71a3c5554af10a5f8045a552580df0ef85e209416218f3

SHA512
fc046f2b2268a6981ab92d022c1f8816eee0da4caacbab93a89a255ac0da329372d7e97061653ccabf6ddb3c865bf2eefc68fa83a165d3590dbe76713ba5050f

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
164391a7f4e2cdb55360e8484b0d9302

SHA1
f65a70ff9c31f6d063fee849fc36b763e8ca1b63

SHA256
daba53c806778fcab15525fbdeafd2c6e442f232e2d8d1c8f3f61c9c0a6808b1

SHA512
2957e3b4c75cd6e0dc76d12e92d14cf3068f7875b2c2a706b126f01e587869d20f4204c57e5c16f7bd555d02360b1f4dddfe9d998338f9e201085967ca6bf5b0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
73e0a6e1efbe1ebde7f0acb0a2b88c2a

SHA1
b9029da0f7afa47c40b96d8a76ed50e83c611435

SHA256
f0e71186891487dc6c798bf7096091a2a2472b80af0fd2664cc8994bb29133c4

SHA512
149424822f51291d94a9fcd63435adb03cf7db09049dc0a0ba91224104343e7c4b9df9bd1c7e47394f4fe5389b8d89822b1dbcbaa3da8c8e96a2ff26ded4e8c4

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
134df766bcb87bd5e335f4e8f0641fba

SHA1
3971978064d2bbeac322e030a678ae4e3ac34459

SHA256
374244f26f15bb6cb747b5cce79a733bdf295494ba4f691f1fb5f8904813d19f

SHA512
a2da9c33bde000be1ad75e0de0772fecbaea51729a61dd545fa82d9bfc85314457ac5e06cc19e1eee959b87b31350f9185466243fc10aa696893e37f9beb4ab9

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
5b08c4020bd550278a335c88754e8d92

SHA1
a0cdc6d33c5ed81a4f6aedcb7b1c211dc75fb9f0

SHA256
bc9449ebfed8677d7693eccee218b298cf9922bd053ec2cfe0ef122b8eac5277

SHA512
8633d3ae8361521cf1dcdd6fcd1bb5a8acb2d3cc6985549c1108f6f11b4c5a43f0d774aa9948d47c56273a952574b04ae73e139c40f1bf250c17935eb92b1dcd

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
27bd0fe2abafc3be95ee48161c9710b9

SHA1
50ec79eca545ea1337ab10bd11433b38ad09874a

SHA256
b7abbeffb4875eca76a2ef6e1e5404d348b101fa31dd78cbe7192eae142b3e35

SHA512
5c4e4bda12a1dfdd3cddff124eed66915a86c9a5e25413385cdbe26ff15a4f5ad569de462f27119cea8c20391ba1b038231ea5e1529699f568dfe088dced1bb8

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
39e95100501964e9593e8551057d1e14

SHA1
5cdc9436a26b0653313e119d0c680f311672ac50

SHA256
94683af52f4f1f0b885574bda3101e82ef93abbefda6246a0474d9fdc5915466

SHA512
fc57ed72176ab5ad261fbaf14af1e1d56ca25e2a05005d9d1f0c9c684b8c9a700da75e8549dab08deed13380b3132704438b9f816dfe6895b6d4fbb595394116

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
c6ea0b6b917f9f2350f767a60f0b6e82

SHA1
93e7c136c6615a5ee76166c26ee9fa8f1ed2f08c

SHA256
79ce80fec89ee47dd994723fb36c7a7fe17084cbb1d37b7415083c054e3bbca5

SHA512
e50279a98fa9ccc70a7aa090b4a442b58c5d72b6246eeab976736f24240ce44ac5fcf1c79588a0acd5bf739c68797a020c211fe72981601072aa89b1d064b80a

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
062b0adee5fc843c68fdce2440fc360b

SHA1
98f4fcc305458bd5c9b0af4cd15d06e6ddbaa190

SHA256
f96af7e1f588086bbf6b400a86ced529996731fce92178f7bfb5221acc088ab7

SHA512
0ae09e9fda0a52c6e21141a7948b364a275bd2676213b6332f2add4164e425c30946d730a4f7558f8abe72979acabb11335bb4f244432d2b0b25365450113dd3

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
5deebd1a81a8d77266df1a0459afcaae

SHA1
0c5b7864af7d09b6ce917cba689f37d97d5d6195

SHA256
179985a39ca465a45619c42cc84815fe961df138bc56afca2687834dfda757e6

SHA512
b353adad0634bfb2b37a04d44a86ce136b1c81eb58e37b9f802b61de3c349b298c487d2beda51c023d2049e29faad04469c84eabac7e39d9ef1067e0b35679e0

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
1c45602fcdecefbb5b3bf931505a42b2

SHA1
3607e5274b48d904fcda46cece6ef999e0482771

SHA256
abcc55bb7e2ecd579e86ef575dc01c74335a1b1e12b9811061b6cd865156ea60

SHA512
c9b415902c908a21956dd28a2014d79a96e1a128a2cc499a84475c6ca6eb3307ebac8dc78cda6b99887b563192a4e954542d33704b380411740f8c29e301a646

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
bf0031623d7ae426cc409486c3dd56b5

SHA1
893a7042f0e64477b71a22d9ba9634e3e95d92e5

SHA256
ecb654a38a5d4795d418a51ba7b62e42164d5439d7ddb2272da8d70538fd9a20

SHA512
299e7209d137434bd7e744eba10e32e58123ba2d6cdd83efe4ecc853fb27ab667575f96e335c4265992949d35de6b32c63864faad5531d8bc706683e79f2726a

Download Submit
memory/452-607-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/452-275-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/912-190-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/912-86-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/948-54-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/948-48-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/948-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/948-600-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1204-199-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1524-194-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2220-191-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2272-200-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2272-604-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2332-192-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2344-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2948-273-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3300-196-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3300-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-602-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3480-189-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3480-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3480-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3708-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3708-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3708-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3708-597-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3716-274-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4296-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4296-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4296-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4328-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4328-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4808-603-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4808-198-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4852-72-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4852-82-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4852-78-0x0000000001A40000-0x0000000001AA0000-memory.dmp

Filesize
384KB

Download
memory/4852-272-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4852-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4864-197-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4932-5-0x0000000003C70000-0x0000000003CD7000-memory.dmp

Filesize
412KB

Download
memory/4932-460-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4932-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4932-0-0x0000000003C70000-0x0000000003CD7000-memory.dmp

Filesize
412KB

Download
memory/5092-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-57-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5092-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5092-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/5104-193-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download