7a46260329c3b6517a7ad5bd8b9a617de17e9363f44d835f2719d9ca9d999200

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
Size

24.3MB
MD5

6d3b79af33bf6a9d682c58a5638402fc
SHA1

e1e2b9703f9fe95d8cb15f9378266d64eef5015d
SHA256

7a46260329c3b6517a7ad5bd8b9a617de17e9363f44d835f2719d9ca9d999200
SHA512

c71f6a8c68ca31d7488290bf81394e654f3859c2eb0bae9374f6c1f60addbc9eee9be54094a55b09bd9cecb254e8d8254ef4eb710a9e5ce193cfb3af290d47b8
SSDEEP

196608:wP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018tN:wPboGX8a/jWWu3cI2D/cWcls12

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1124	alg.exe
4588	DiagnosticsHub.StandardCollector.Service.exe
2300	fxssvc.exe
3700	elevation_service.exe
3656	elevation_service.exe
920	maintenanceservice.exe
5036	msdtc.exe
896	OSE.EXE
644	PerceptionSimulationService.exe
1828	perfhost.exe
3476	locator.exe
3024	SensorDataService.exe
2264	snmptrap.exe
4876	spectrum.exe
1108	ssh-agent.exe
1528	TieringEngineService.exe
3216	AgentService.exe
4768	vds.exe
4956	vssvc.exe
1312	wbengine.exe
3020	WmiApSrv.exe
3080	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee13de3792be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\javaws.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf6bc2c2e3b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f758fc3e3b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dac87bc1e3b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a7b32c3e3b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000623e91c1e3b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000771730c3e3b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7e55bc2e3b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000295d52c2e3b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa6e84c2e3b4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7362cc2e3b4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	2300	fxssvc.exe
Token: SeRestorePrivilege	1528	TieringEngineService.exe
Token: SeManageVolumePrivilege	1528	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3216	AgentService.exe
Token: SeBackupPrivilege	4956	vssvc.exe
Token: SeRestorePrivilege	4956	vssvc.exe
Token: SeAuditPrivilege	4956	vssvc.exe
Token: SeBackupPrivilege	1312	wbengine.exe
Token: SeRestorePrivilege	1312	wbengine.exe
Token: SeSecurityPrivilege	1312	wbengine.exe
Token: 33	3080	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3080	SearchIndexer.exe
Token: SeDebugPrivilege	3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3460	2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	1124	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 756	3080	SearchIndexer.exe	113
PID 3080 wrote to memory of 756	3080	SearchIndexer.exe	113
PID 3080 wrote to memory of 4132	3080	SearchIndexer.exe	114
PID 3080 wrote to memory of 4132	3080	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_6d3b79af33bf6a9d682c58a5638402fc_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2032

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:920

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:896

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:644

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3024

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4876

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4692

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:756
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ecde4bcc15f34e25d03f34fc0b6f2a42

SHA1
57395c8fc6ed3d33bff3d0d00934d8e27c875379

SHA256
ed74e1ddb52d3e4e51280131941d1a3767f657f62b942ad372cb88140de4c5fb

SHA512
61190e5456cabc5757a805491b88ad42fee29967dec3db3de4f114e46423daafd977af12629ea34b1b52b878a2c0862cf9b5f495badb2ca17e9397b98998e757

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
decfba24e642f94da4b341f842530cf2

SHA1
70e84ae0e9c1ea80805bef489227f84b55ddf129

SHA256
12c6ee35cbc6c2c730e0ef3c0121e5d462ce877bb29d8686355b77a5c375c54e

SHA512
361a27e5a54c0c751596bc1e724a8885c4ac0b7da8d5c4094fc60c957c819d6e6f626f541202327eff3e5bcc0ee349f783f37383d534c66cb624ea4fa4fe6d22

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c6bbf012855fc7c8bed4c830f3b77fb4

SHA1
a83cdcf88fbc590c4276e73650720165008724ea

SHA256
6beb155ab7ea9a1e690a6d3be26b00d11efb84cd37c4f388ee572c360fb7eefa

SHA512
a2bcbb8112afc1a4bb386fd960dfd57c4042daf23f9507fbb757fedba3fce5e3fd248e35cfcd54179b0c30bc0b0d525626f8417299f72f5bcabd41aa8bee2470

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9513ba96e785f3ffd48f41008f0c837f

SHA1
39446b391743f58b1d4b1cd950ec86677607127f

SHA256
85936476b2df217280e3fa768a177ba643aee4e73fcec03618c1109da024b163

SHA512
08fad112c22b8fce38028902a3eb9df3590b549a5a434fa45bf136ad07f4b2666fb7c78256eee54c05f568d3392fc137e5cbe8476dcd0c653d713014101f6825

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a2c6facb88d17953dc8014dd8cb922f7

SHA1
fdb4026da7d0fd6d55d9ac1d8a33170a4ddb5b30

SHA256
26741c42a4b2fc3aa1375684f5b8ea1733e970e61395a2a7c7f878f97e8b6fb7

SHA512
ebff7247456300e6e0baed061f713ea96025d8bf1089383a96af3aaf5c597e50ad615788e991073069d711c71950968df7997abdab67848b4855392eb3bc92de

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
61e95af08abb87754e112b90e5d1a23d

SHA1
4c508e2edf561c7fac717ee56a5e88a45fce7a53

SHA256
1659ecc28bd7be548011fdf6887f599c94b28ce0d0efad98b715c7602f2b6454

SHA512
b80d3fd2afaecd216c8bbe7e449540ffb6be80295e95181a358d01efb1f0dbc73ba9bf5687169d59c84cdb5ce1465e300d3f23e0e38c9b8de8b0b03fb8d4c5a7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
22505d8663fe39eb6ba8855e4f36dff4

SHA1
a92ae7ebf4d8699dd9cf62b75aa6ecdd9bed3191

SHA256
bedbcbf5a179137ad613a6419fa36aeee623042938c831612790e7c62a5a789a

SHA512
0235d88b7f2edb248c51c7847aa101ff9def4e9b1a1e95db08f7c4ffab045fa5961b9ac0cabd3301df8c1c94d794138fc229a049679e10024f3f82b8a90e1f55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2caa3c33097de385be0adf1fc76e82c3

SHA1
4d468eeab733f8ae391ea426a4bd882b3985ad1d

SHA256
1a65534f981631055ac9638cb9f6e319edb1388f44a2cd5136fb4a56a90511af

SHA512
a4bcc6df11fa4f97372065b3c985d04d61235c5da813dccca74a12d3e1c408bdce4545999c0100d9376ee3773f3c1cf56446becdad5956bce0c8f49f9a303394

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a83ce18159f8cbd4268579e2a0aeeca9

SHA1
76cc6150bcdde8f8130bb33c71c2fe8af5e3cf56

SHA256
3aa810123a693ebe467add590b4b81d9ec76bac87a491f1e6385a27e51a7439d

SHA512
b223db4b017146a5f83f952114c4c8ce84b72a53315ae0c29d6a45578f177075b9ebb899b8b0b740a9be3a7efd4bb573a35a422f34df3bdb48d523f7462be8b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
69e6e14baa0ec30b4d416f1c48375d95

SHA1
09d47401eaee67f5a0a31f87aec06c801bc0a914

SHA256
2732a6ebe4f5988f153c5a0ee0a543b0b30a93b74b1ef7636e8aad36b2b92f93

SHA512
aecbb82a4093fcf23bbe642057c1f1c3af1decc1c54fe16fd8624a04d23071703144f7606bf1b8543096851bb73981234c519c0b3baa5f9833174f8312c106b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
555856b491c609c22b9c99f5f5703ce2

SHA1
95a51b46bb2bbe64661e70fb5cf585b2127da684

SHA256
57402fa523b4470cf82f0c447ebbc26592d57251f27e75a491c63c54b6eacfbf

SHA512
44427e973dd066b15350328c7088dfefe303322ca1d9b1e648724e8f834c521ce5e29fba98f688787f6e668cdda6801a0b85d6e8b3e78063e77076a2f1bedc0b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
feac40c2d383bfc349190485b51f0630

SHA1
c15e9a1ea039d8992839dedeaaa40ab4cc5ab542

SHA256
af6544bc45637c9acc675c626bf7e430a80b5dcf2dae83fee2c2a3391245911c

SHA512
c00fe35548846e2525ab4b502ecefa304050801f63b66197b1f550e9d1a01e90d026986be29e7601b4394a74817a2800793488dac7468429794a71f2a171e121

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
af6234794ac9975341f9f18cbd75e09e

SHA1
01abb951e1eb86bf5e2bb94a5ebe45fb903bea68

SHA256
5cc3245fd2b877412e4015a3e60611ac9e21b74b0dea4ad0ca643d9082d2e96a

SHA512
321c170dab96301403e3d9d0005ac8f63928610db9e8ff2999be19d6d51d6a0a643c791d2cbcebefcfa3971da1bd7c8f785af9af65791575862502f410f05976

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e15f9c168fb66e0e3dc79b64a05db211

SHA1
4741075e4e4a7cda21daecd9a0506e7b7795e5f0

SHA256
29010e1928416d5b57d24958c6a5a13f2a117102b976e1df09b4611d90f2caad

SHA512
fbf421023bbdf4057ab8a8cc00afea42ba7d057b1e9259a1b1cb93be142e09fa5fd8ae9af1947b74c5b5cb73c6fe6c79d73a37073005fadb7ea87e09457735d3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
06f406716436c3d87ab040841f11a2d4

SHA1
24d8ceb3e606eadbddd176391bb22b3209aac174

SHA256
e7aa323cb181e6520ae1cc0c88c02f348f90125026c44ba9e9d190129fe245b7

SHA512
e4a94ae7301e5f3faf7606f3d46e31fa78a32b6904064253cee9f8f1f3c30b46c931cba950049c378a5ecf1ceabf560e316e52aa616c517f961e89b096242b6d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ec3333c702e43404ee4fcb6cd46300bb

SHA1
1ff907b1e76f2ef04a726a0680543041b1be9193

SHA256
2a3afe12a41acb8b50192715b38661060aaf977c0bfc794209eea1376de372c1

SHA512
700c75433e6fe11cc5419fd921914faffc491461ba92377281beee0f3fcc63ff3039d1665d7b1a401679248c6613d99da8e8f1ec3ccba7ddeab9c93e09683a57

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
93da10732d379e0327bcecc5e3fc0838

SHA1
66bcf602af0beb39c9204817cf2682e5679038ed

SHA256
7101ec19dbb11a82305a7028b6480eb1e1cbabc405292e0a44de987e089bc10e

SHA512
2219a0b4765e0d3eab1c4ce81801c05c43ca2e404f7536ca4a9ed3f9d4604d662d5c914b7d419cb804b1c4e7af013c28463dab6f5105833c6a8d824a6eebc961

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1f298dabb67b328bc92bb0ae74f15f44

SHA1
53826e70a3613bf93bad13095969953a251af9df

SHA256
2a74faff7cfc915879725cc8f7ad8739e22c2a872d985602b21be3f58e47a2bf

SHA512
992ef9483d49814ff608821e9e1c6cdba7efd9bdf32d4251ec0ffbbdf345410ebcc03ea140f9deabc91095a2e7b1d1d4f62cbeb7f0d901301766d31acd0d2d38

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
e08e4ebea9fd3b922d8db07d6cf1729b

SHA1
8a7fbda9165b19c2c9169d5a03d32db8d17b4445

SHA256
34ecf35cc867036b878bd80b52d923d21ad4b85af11c044324654971b869151f

SHA512
228c2f908e623ce03b2c27f918caaa9d2f07db217c4c42d0779662f0479b08604510f40e98f2b3bc5ddba6398f3a9465e54fc86d26c230441c5816afe15704d2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a9c12b6ab7fef9e9b6332a19ca4839b1

SHA1
8646b1082de44f4d7db552aa8447473fab1eb1d0

SHA256
6a28f33e1356133f07e56fec484aea8edb8f50e73aab532591dadfc78266fbd8

SHA512
9bdaf26abbffc5d966f1c9c668aaec9616a87cf5d76af87d09df17421b59c4235af868730753dfaf345067c5e6886d2dcc07ffcfc4c12971af34b71312085da5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a3274ceaa7505c13e54d471141daba0f

SHA1
74f4ee42a24e2aba4cc4584a6d63423660bc09e4

SHA256
bc8bf687f2020efb02dc8dbe3441f0c0a474c72b4dde713bc85e48372f511bb1

SHA512
adeedb65f143fd3db54139722b1a470b8d600eb29b4da52362f4ee86e8b1fa269691c0631de3286fb9aaf68afa7fc86ce9e1da59a5c9fedbbba42935d662592d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
91bbf0777d27b938a3741d0a7a4cabde

SHA1
4ebc09f4ccb02474e7becad56535073ed90f9c7d

SHA256
9cfc5c0a89ec635055147149fedd33bc9c8e751bbf171eb09657265a93da2042

SHA512
6fad5d30fc162b64393ba292fcd7c67b1e1c44cc4bd405da97c25d7d9a5f205c489c9b6cc431df97421ba051f93581e207d1d3007c4590e7a96d6045c5b0ea06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d708184f01602be8bb4e01bf485a20f8

SHA1
167627720297ff84b8e7da20e7ec81c7f1e59ab3

SHA256
90edc2b7cfb59d1d3ee369cb4557e99d52dc8e7a84234257d877a4054929e03d

SHA512
50972338b90e21b9d9539ef7bb447a4aafc01b5d18f9b41b5f36b6ccfedf0d96b2c010ed953f15a16c9a1b827a7935190bf85d01b8c1d490aa0f0fb05613baaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6c12147217c39b7b0bfa092c29aa04c3

SHA1
da5147d442c75f9490b9848dc58a586bef91a4d5

SHA256
f7e5d1c1780353d034331dc57098283116305d0fc124b69a09923a12899bc111

SHA512
01d2f16e55f028c792e27ec86bd26e94cc37988ae0028121788311927bb82593658fa043335328ea09cbfe984309f8af0e76c9c261279dff386fc7be2bffe3f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
83cb39263ec9e30f61534f8d000e44d4

SHA1
b127a7b64d588b435a8f7ad53c4504b54e28bd93

SHA256
4cadbaf548b6069beed09a56b061ad6b00542af8d09b337552a6abe69f1a1648

SHA512
eb89e396cc5b15514bd68204d912535c619136058e7553889e52b6cb557f8b8f4c99338c052f83d079ec1a37e21494c097985d25c459e2b59abe3ad86d556017

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
74046d8ba9641226f8ae6d082849dc13

SHA1
339213cd246008688c8c19058d7274b0652acd7a

SHA256
c56c1a954e82c98f4d36b257795ad37ba3d9ab70ca37f8ee543d7e4dc937f867

SHA512
698557aaa1a403326b5ab9b726ccb868cd6bdf4a0925be5f1126713f7d96254d1226c154abb80e8cf12ad86a7be6959483f6bee21918d2b8a35d23ca881c813b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a9257f2aab95168ab621f8f6a8ec0642

SHA1
6324cebd1ff6db4d109a50782a20b1218393cda0

SHA256
1d7f5fae3285f00df38b19a9583da67c9e761888032074674feb093b06767522

SHA512
ac5b522479d8717d054fa6e79e226c63a9979647c0392f8fa8340d97e01415be79ab51ba2d328374becda220ececd878eddd8cde1afaef6e5b8118edb3e30dff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0dde7d84415f9d4f776a20941f2b62d9

SHA1
402d49d6da4b598cc93784b2046b5ffb97294cf9

SHA256
690931206b32d1f0acdba9de4b48091709c82b6ecfd64286b21029959ffc2a0b

SHA512
571dad5ba1a45feec9da1d8976b3b5b9a9221f168fe2a0d8973e847c1535dca012d700dc46eb49096b28c2bdd7df18794a577c6f43cb5a6a8eba2dd8f7c39749

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8d206d7be947e26221f19ac722b33ce5

SHA1
ab531270dfc36f26d8ada18bf44e2bf86fac4bb9

SHA256
24e269e36e16b19c2b308e80aaa52853941baf06a02a5ad7e0168f15217f6417

SHA512
c4b39a1fb68418db1e7d2f47e8b80a57f5ec0ba61bfe5c3b15320410081ae3ea79e37aacc0a1bcfb86a3b17adc007cc2d3478a5c03ba2286ad259cfa77bf71cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8ccffc249f9a8924dc5d38fd59c2a4b8

SHA1
3a8be64e8e6d25f54c54c55c3a532174a6c4236d

SHA256
32577e8c0bb71f6528dc018c6f0d7f4e13c0c7f20bb2562162d856b5523e05f0

SHA512
41c91b586fa35c3165835157a67f34579e27a7d73b033581b638b79b9166fa58f77e508bfbbbe241ba9c9a6d0a5b7256a3b546336bc3883d38b37b0bb3a22189

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c859d513d2ccdeec2188312e4c2aa125

SHA1
0cc0139364550ed69ba5531af7fc893311ba191e

SHA256
26907cc4627d80d8bae7aa1d00fd50bca6e25c6081639ac7acd5f3be8d6e04f2

SHA512
3d682255353224283b27ec2852d7d9d3e09f13f6a374406fb8cfca199721a81b511602688f83023ca151679c95c929d557a2eaefd352b89b2da7cd6a829a820b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e008a02a7e70b384dff67d73f4ccccb8

SHA1
e4a7cfd3190a2e6cdc7542cc690f338795205738

SHA256
c15dfbdcf788980002899183193d48496ded00abb1c11b80be6233d6bcc9516d

SHA512
36b64716d73fc72996a27b7ca2137fb5422af6d9bacf148976243f07d54d61d74028860aeda8adb491b85042d2d768b6aab2f696143895a2b08e3720f8b0e3f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
72c297bfdfd41fd35050e7e5e47a9412

SHA1
b3c43e64fdb7937d70463ead3589896835de77cb

SHA256
5ee1fc43b545deb37e3c3669cb4b8908662b1058ed0ebb250b08ed3e69d88211

SHA512
a2b6972ed2c236a29fac6e515c1fa1d22d7d756167301ada869a0248c75b6d7c65d14a91aa8aac0e290c74b59b0f6835289655a6cd6eec8d015ea82d8ea16e32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4082d419698957c6a08bd6686e6ccda4

SHA1
e1c1bb1926136335aa11d94e2309b656257459ad

SHA256
7bf6f635ff7184f92eec7936d4121902096cfdb7386ee1a27d0f4b122051ab88

SHA512
5e0956736d2977576bbdc6519797b821eecdbf75c616cbbd0459118cbece84e710f3c5cdf141b6f8ab9e48017a9519cdb0c822f422495da414c6d0adc57d6236

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0261a239fce0b3f6c9170d32642519bb

SHA1
d9ec21d368299147fab0125efb6689db2d7aab84

SHA256
0eb04ccf1c6fe01c35464b191c42515380891ecdc80a7fafca5a6aef8f431334

SHA512
cce7c3e0aff08f1ee3601fe5ff198dc95e7f64ab6a6de91d831f6a536eaf56b4e013a7e312457b4fe002fc47c8d560459667aa33896e77dc7f2a856ae05c0fc1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
22a0c1f23cca235834ac4a41e2aaa25c

SHA1
2c8c5779ba30fae6c19832ac37a7366bc6f8af53

SHA256
400257645562c95703d94b5699d0fac7c58ca0ceaa39168bab7f3c707bbef931

SHA512
da18418b60cd8bf3c2523c49be35212684ab5fdfee1393db0e99eec335af8a15026bbeb8261363381cf829a01c777476aa9e321d15b791d3de84d6a63d9f83e3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c810b7af969c10f8d3516257bb9fa75a

SHA1
71f75124fde9781d21730dd91e52cfde1954e8e6

SHA256
8c866371f93c13bc48c94dcb7f2c03d09a813e716ccf35d55a8ce293b6ab3fb1

SHA512
31acf1a9f543871a0cf9d9b2628b2b1e7f2449d0135f882bb9b5b17c4a602bdd4dce65f721625dabbb606e3ed4c9288b64efc441d1d95c3b931bd0426b23e0f9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
25069090c2795168b37556319b9bdd2a

SHA1
c3774f5db6188f8282f1d4428c12195eac9fe77b

SHA256
2ec76eeaebeeadcf1fd79a551f312dabe84f45012ab5795a1c9b0a97009d28b3

SHA512
9fa631e0ebc8083ebd1193db2b894782ce1922b57cef534a118c23d907c0ca580546f2fbaf1165e95479f21284713a0c50efe0061ebc1f4f29962c4cc0b21ecd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
faa6a3b619f240b755e442d53abbea36

SHA1
6576f721cc2599da71c7bb4cceb4cc9793fe36e3

SHA256
7903bc9e880067d0fc411b4033268ab0e2e4882eb233834739a966904802433a

SHA512
0bb4dd8aa71a6ed40c4c7ad8a3d1959040a76596c08031e64df30207dfdee2fd3b31b25a88c3ce03a197e5b0e453204b9836cf98eff78899a71da6b746afe5ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
a03e108cb693bce5fde98d8c93c08cb6

SHA1
83adcb1912c60aa5cd1a2a09597e254e72f0c147

SHA256
93670b184bea8a11fcb16ebe6d107e1ce403d9be44dad69301ed23ca968565f4

SHA512
a172988813493830fdbba9898feb45a5337ae66c134cb6355b648efc0d255d532d08979dd0109d3af3cff2440645f70391a85435f3325efdd19798e3b69c90e4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
539ae8f2a108aa8014bedde9218ff59b

SHA1
88533618fea1c0fe43adac6eb30dda3f2453e70e

SHA256
e46101836f020c630f6c2fd2d16c02ad49f11af2c2718d3b6999c771c8a57075

SHA512
009451ca326e9cdc8d5e20ba4f4d3b5c4b05d8e0723ced97bf0477893d7098ab923c56ccccb558e07339f565524ed9080d300e2c309180df058f637b0da58119

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
28dba1010085c3884346a3332a5b499f

SHA1
d51d42954408af166fceeee4261604ecd29f379c

SHA256
d9f14503f946c67fa23015a38e9f6fffc624b2b4fcd5ce369a664b067be4a459

SHA512
48cc04980ae8dc3d2a732ad4baf72ee729e6fa4d49bb9d93c533caf7dc5d73a6419cc92adb143f560273a60ad89cc7a8cfecaf733c9219803526bbcc8caf3d83

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
aba759419c8ec443c275fe30652fbaea

SHA1
41fe30f28fe39b88bc3e270c0988c7e12f569540

SHA256
b0d64447165a4d6565e9e3a83a7fd0b59d7454fe34d9841df6670e9ec7122619

SHA512
fd954f8c1df8291de6ace73dae9a34f3646523ee06a60c79cc8db57d46a46e6e82e37934de12f8d3ea4bb2492e7eba2c1019696e96fba070bda7c23121d370dd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c19a95093631330fd5ace6a5fc5165e2

SHA1
14346e18ea793f82dc3a28c9401f910d4e7fca8a

SHA256
a3dd47bb95110468c88993a1292f30ab0699a398421b0c187372478bab2f2131

SHA512
3faf59d7c578984c6c995b06a92f66c6e72af3fd8763ed8629f66e207c4cc8454cbfcde3823ea35dca89bb06c5fb92c310798b88b9c216059bcd473f14167462

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7b21c1c58bb9a11f02a2128c7e74ef66

SHA1
76a02e8904c010f68505fa13498eb9ec9dd0e9ef

SHA256
a1189b1fbe82a897719a0286ad6d079ecd78d9a23243438b89361a1b63202e0c

SHA512
11147729f517c2c94b21bf92068109e3880c44703649605cf347db8478c49765b1cffc75d870b7a9e9556d61a969c41b43516940967b8a4c0c3f47795af6b101

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a97185a10a3c4fbc1fa0d0c6499896d4

SHA1
0353152a498ca76c603af3c3fa3f807ae4826f3d

SHA256
c2374fda6e90fa547155b1ae02905b2d6803d1d8d27773e962de8a8adec2b1d2

SHA512
dee35abc2fe569f70e18407497322b4d3b8d495cfe3f38ab021461f8fa26709d92c50b58b85e5ff8d544d564adf00e445b6664af9cdf3453d69765a201818cd6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f92e443a89ebf57dfc4ef7afabb26725

SHA1
a0dc7a8fece57bca46452b78d02df6b67bdd8625

SHA256
e0986c6d08a04df902fd9bbd1c10e450d41fc5491b8a8ec174b0d3f5c909b1c9

SHA512
7fdf3c1e0a076516773c00ba2bd670e39f164bc4f44ff6cde1c873ff87d01a892b7c3e0d53cec97bcd51e202657cbfbcc81949264058b423354846e380b4a332

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fe1407fd159ff12a7829a985b1b0dd21

SHA1
28f95bab4fbf4d76c6cfb6553a77a986992c63d2

SHA256
5016143d32fae008a874547c77f93a3df347a376131e7ae213f1fe4a3b672125

SHA512
73990c5310efc9e0cd069980c2ae89bd6aa02787e47b3824034f0c767be8b68f0e1c8f5887ebf21d2ed8ca467d5e656fef99623b24f2709cdcee168a79643155

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
eb137982ac08749992bff18f71489e1d

SHA1
8acd3a9a81cda5f157325b1bbcf3861af58524d4

SHA256
8ea674e19d384e718ede90e4863f1914588a22e48646b72c870ef22c4841ab54

SHA512
ba1fb529f5a8466a498224c61d21bfdae1cf3028c6e9eea49ec6beedcfe12ea85b39256b70bb30978c38e8af96a3d3944c28066206b7a6c3a3e95ffca41de03f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
1166acfccce685fbdc88770274cb3942

SHA1
ae79ec1bf068ff0b370be68c75feeda48e215c00

SHA256
4d2e43647d260e64aa33c0d6d2e5ba5b9fb83a283cb578ce984ad32e782e73d8

SHA512
f9431d677b0c5e6180eee8f7a0b7d2cbbf3c73e0af01aa72daca60c9e0cda979c64b309adacfbddf810514374b1ef5e739123d46ce6928f5a2ebb1583744ad2d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
042c5800377983fb55c1846c0de2e3f6

SHA1
df278dbf02bfd4c100cdcedf725850aff97384ef

SHA256
e21fcbc55ea89345af8265f8bf212207fd5346060a734b3a05f7b557201d6aff

SHA512
e6efd258a2d9b7cea104509c84eb82ddaec98dab63bd46c6047124c51706116eee24c8d7a68bd36d7a381e7210936d721f98c0c7a64d3d0d57b91a1f0295d94c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a77264ffd02126aa618bc314ca184839

SHA1
b6ed20acbab04e7923d2bafddc0cc54e453c91bb

SHA256
98bf8e16c66438bb1b932d0cd06bd99252353ef408fc10e71760e751974097ed

SHA512
b85f8c3aa6fa7dd5d5547123eef01cbbac55ffba6fa0cd1ac6a500cfdf201d1bd008079dd8b0052e6c984c729cf6fc6d3e8ee7b31f98a2e193eab463bf222bb2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
730dbc144c633ab947e43adc50bb6e27

SHA1
f4d6316c7815492fa9f6bbbdfd6a5f78ba6bc1ab

SHA256
568c6e742fc5540fc89d267f413195b87714541833e3919f5b88cfd4e7ec4218

SHA512
eb0e7d7fb6a552fd227ff56834bfc0eae3a46bcb6bfee5e905a6af8f5ebd91f644dfe40ce44debfcb76d6b26b41115a0a453fd55945158f983190f315eb54d91

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
05c535130db5532d6c33e852cc009074

SHA1
b9aca8fac216a053ea0a3a17fffe88a51cb99476

SHA256
17abe3b99dd5ed2573569fccbacade697c9d1e90fb8201dda1adf0658c7632c5

SHA512
bb39b55a5a52cd607e7d0e4432d9b0b07461317845ca42b6949db675fedb083615d1984feb525ed3d864cb65e5cf61d3ea1e10d3cde1757ea5021bd3a01f1d36

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cfddee0785317ad6a54f540eb54c91e8

SHA1
03badbe4934b7eed4277620065e4f84cb1950d65

SHA256
81927e93d16fa6846f1911ff2fe4fe570f43018374b8575dbee1301d5b72fdac

SHA512
9f73bdcb75c87ce8317ff5fa6e83bb9a66fd93e73e8b20bb3c2cf45c3ee5c5ff095199d1e8e3db3c316db77bd8ff8e0295e07e556e3ac90b6d02acc0427dbd99

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9854723e44b7f83ff7f823c69d0911e2

SHA1
0745fdee4157c46d36172df79e7cec0ca55c6f63

SHA256
f76e6ad3a46c80331d9ed39900f40c520f8b5360d8cc5765c17a1450e6aab98c

SHA512
79b719e3285cf03ee98f13599f018dc1fe0c036e50cdd40f3304e5229a394d8eb056c8cb69bd63fcedb3586aa66ed0655bd4acfa9369d648d4c3efa22b39a23d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f3e60d5ddf2b79fa74bf1627801be384

SHA1
e9d75c52399563aa050944bf5034b6f00a4bfaae

SHA256
1b81fe660d223970d1fe84e4ae0e7acd10015ae19d252423a14ea265415bb476

SHA512
b46cc4ede87375160aa58d177da42e92a825ccde8295a7eadbe81ad50c31c7578e73af65e45ec1f26c219c3b9c0daa948daab2e190d75e5e2e7ad3b850ed5d60

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
9c47c21dbf50198f3e546f72bdab852d

SHA1
7efa0f795865bf10d67bc61a844ca5dc1c19714c

SHA256
243b549b0740ca2fa6ee5e9ed05093d801fcc4674bae02cd858b0419cbd28e3f

SHA512
46df49b366e3d0d3ffc3a00cd936f32bb6b232094735ad873fda3876eabf922882dec8d3aeb23d0d2d7c9cfa0f4d8a2902128f866a41dd49bb00d0c794c96a0b

Download Submit
memory/644-231-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/644-114-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/896-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/896-219-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/920-78-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/920-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/920-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/920-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1108-589-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1108-191-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1124-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1124-17-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1124-11-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1124-113-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1312-598-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1312-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1528-593-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1528-202-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1828-243-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1828-132-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2264-164-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2264-484-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2300-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2300-45-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/2300-43-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/2300-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2300-37-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/3020-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3020-599-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3024-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-592-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3024-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3080-600-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3080-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3216-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3216-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3460-7-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3460-83-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3460-5-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/3460-0-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/3476-143-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3476-255-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3656-190-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3656-85-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3656-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3656-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3700-58-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3700-169-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3700-56-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3700-50-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4588-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4588-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4588-24-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4768-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4768-594-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4876-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4876-523-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4956-240-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4956-597-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5036-87-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/5036-95-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download