0823d0ebc485dc2c41d0529499bc9d7c705d21b1622a0e35d5656ffa4b402b6e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 22:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
Size

24.3MB
MD5

c75e3bb5c89ce4d48a689860127ae244
SHA1

fc286a016479d15a5589e318886cf09fa788bb6f
SHA256

0823d0ebc485dc2c41d0529499bc9d7c705d21b1622a0e35d5656ffa4b402b6e
SHA512

93001f2b9ac9a17866ca2bdce4e60328ab9ea1d1f25690f8367815ddaa2e7e498286f99ce509fd6bc1189d9efdb088d9725be5c255ee65970f14de07027858ef
SSDEEP

196608:9P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018P:9PboGX8a/jWWu3cI2D/cWcls1a

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
984	alg.exe
4700	DiagnosticsHub.StandardCollector.Service.exe
1820	fxssvc.exe
4780	elevation_service.exe
4536	elevation_service.exe
4492	maintenanceservice.exe
2348	msdtc.exe
3004	OSE.EXE
1684	PerceptionSimulationService.exe
3300	perfhost.exe
1116	locator.exe
2664	SensorDataService.exe
1520	snmptrap.exe
3840	spectrum.exe
2172	ssh-agent.exe
532	TieringEngineService.exe
636	AgentService.exe
1132	vds.exe
4460	vssvc.exe
2948	wbengine.exe
4800	WmiApSrv.exe
4492	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\44ade439bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed69ad1bbcbada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf1c9f1bbcbada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087bfc61cbcbada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aeacb31cbcbada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a2b0f1cbcbada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab0dd51cbcbada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002004ae1dbcbada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1820	fxssvc.exe
Token: SeRestorePrivilege	532	TieringEngineService.exe
Token: SeManageVolumePrivilege	532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	636	AgentService.exe
Token: SeBackupPrivilege	4460	vssvc.exe
Token: SeRestorePrivilege	4460	vssvc.exe
Token: SeAuditPrivilege	4460	vssvc.exe
Token: SeBackupPrivilege	2948	wbengine.exe
Token: SeRestorePrivilege	2948	wbengine.exe
Token: SeSecurityPrivilege	2948	wbengine.exe
Token: 33	4492	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4492	SearchIndexer.exe
Token: SeDebugPrivilege	2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2584	2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	984	alg.exe
Token: SeDebugPrivilege	984	alg.exe
Token: SeDebugPrivilege	984	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 3492	4492	SearchIndexer.exe	108
PID 4492 wrote to memory of 3492	4492	SearchIndexer.exe	108
PID 4492 wrote to memory of 2736	4492	SearchIndexer.exe	109
PID 4492 wrote to memory of 2736	4492	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_c75e3bb5c89ce4d48a689860127ae244_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2600

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4536

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2348

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3840

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eb6e8f976d9eb6498fded1bf95af9ec4

SHA1
a71f6f1d6e972ddb6c26ffd6d5133da9c8c778e2

SHA256
f2d7807e6fc21e9564651df3a2f7d5e273533644237832d820c58a156a5a8b59

SHA512
3e90a71c980b00dd8fc45d21c4d892d4df234eecd0b5a8f91cb4a057e08ab9efc914fcc5cd534d52c5a805837c06bd59d0759684a952c9c69942aea275f5d5e6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
594a5a02cb73953b6a20de44eeadc73c

SHA1
e849d237c3cbd42fd6bdbe5ddb99e8d99b337b58

SHA256
8abcd38f8df8948212b5cba97ae726299a072599475427af865a29a34c382e0e

SHA512
aeb76b1a47fce769101a695cfa2e9a00890de9c3cae08b5dea6f25ec72e8dce4bb60775664959a4864a43b5250dae59cba1d5a0d8b9037d488ebbd92a68c6d8f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
86cd962255f20c73acea046f2de38774

SHA1
3b2ee07bc7c59821f6e9f6c6bf6d9c99f4e4c8a6

SHA256
bc0fdf426023b9c60b497b967e55bad0d604683013175f8f234b82ed2f4c4b3d

SHA512
a1a9d22f3d8f0be9901f9807d82651d0ae1e1348b11e4be54192f37e9246c6b6c9fc0e3add74030af5c701d8a3152bbb65e405ef9f8eed3ac528e3663bc8ba6e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
06540fc06b76978ba99e051ced8bff13

SHA1
96fdecd25b1ca81840e50efa34dfb1324ff3c23c

SHA256
def2164d4e03151c5e95b424ab4692c8f545c5880df587858f4b39c7e51e4808

SHA512
a9be94f646ede8dfa5544e17be300c9d1a050b79b48f6a4156fd976ebc46c76328a8c55ea58a7428888032f3815095eed86c3fc1c80370b071c972d58eb40987

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
47cdfe4610f664915ff980ca72247704

SHA1
0db1fa71229652905834734fdee1260f98a958b1

SHA256
646123caa2c50fee0c9c2af7638821e0e19306a0b085dbaaa5cb96f436f17b8d

SHA512
436b965bb050893c8109e7b44960ee3b1d890857738b56560bd6c8834b272201a1f2186fe9e0c0b0c0a3522faf0d28010011c9b0db59459455d268326340eca8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
67dadb1033ee25a27e42247e5ac77ceb

SHA1
8ff96cfbe1bf47e7506b48b286e698d9e7df405a

SHA256
44965cd7612a24e4d1e90554523445dc226199befb3daa017c987d24c5c732d0

SHA512
d03cfcaf0d7671107e61a6eb3326a60d0893d92992f15756836ae9317e94e9e15f95edb95034ef082f89b2cb9c9e8f559265329057ea978b4e8306a951959b17

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c39bf5a904c1f5969d8c3dbf5d58321f

SHA1
c3d2787a19c47ffe0858b1e824ec6801bf733823

SHA256
e4bfb09af90e2e3a82060412bd11476f2875225c416b57580a607687ef1cf135

SHA512
a1b64685e7ea9f260642e64132a129b4cb226b61b13f94294b6c6030351c1484af8e1b35c19421c3d680584ead4b145fe2936f6e648c10e53c0b03e487ba1da8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9576f05dbca4339e20d7efb0d7699230

SHA1
3d58027c56915f3c7bc180e119f11f15d973d163

SHA256
a5b74fa4fe8865fc286f7fa9b188751d715857476716e1ec746c69b532c3378d

SHA512
cbbe585279325f4bc46ecc2863b357e362d8289cac988ebdc288ab3ac6cbfd456ffdc8efad694b763da52dd2d74558b4616f2cea8b7cf0d353b0feddfba361ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
70f1e27277f5fea57da6f90a3a602dde

SHA1
c7424be100209a156039cafaaecbdd299949f277

SHA256
6b000a902867f77acdc64bb2615ac2dd01abdc13cbe8106a9712cf7f02e12cf2

SHA512
bc3cc83824a7d9b4d56df48a7d897fe06f1dad50dc2b5e53db1dd6788c45c9776db86b0433bb2e4b9aedbeca3d0c04551fbb01349850b1a2e04d6f4b93a6080f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
bfebbf0867d04e1fe9f05bde4414b18c

SHA1
4d4f138c48c1c8e331e030a7141555de2fdec498

SHA256
d4a643b0cf66fac3ff93a246aa36e2c47ad29c20b704ecee5c51e3f350c2b1ce

SHA512
77fe96006139f00204e8d2bfa5836a6727db4030072b3f236566fb1c3670bd1d7f1eafc3daba26b62e6910364e822ebeaa24fc3da6ddb1f26335a6a8e4ca10d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bb218eac148335afbe44173faddbb366

SHA1
788e4f8f2c6abbd1d71c4216f00e8ce7540b4f88

SHA256
86df390baf432d38656816c9514e0bf5439bb314575908da3c7302fc813c52eb

SHA512
fcc4e9b48e333ed43f250523009643f9d64496f79b37b0b21d55d281f3a10fb14aad3969c5c3998421df81c921c063e6e926db3dca2eef09a6151343b370f9c5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
de99289b37417f0b4e39b0fa6fa958b9

SHA1
f3863fff8d2c9ea8ba2d6379e612802401d6fcec

SHA256
11e8a42a55485316b576d7aab169776a5adca0dd7408fc8ff376bbed9cb7b827

SHA512
338e34ab86dd212827b33a02f68861206707042fdfc3ee836c0b7266d1798d098b192b11718b35aaf94abf9cfbb6bcc3f003e8f7624da3b0a65be32a98ce8b57

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
70bae4cccd4c7045e9f9f732388c8697

SHA1
36d807a59d6573ed7fb1b983a4ab0409dc5ec95d

SHA256
7bcfe648f9156d4cf931ba75fd2b24348b06ac4608600edf10724c2b8c4a09b0

SHA512
33ad94196c6330660c6cb0df58ce7349a1d0ec4283bd9995987bdb048ed023b456c368ef3998f3ee2fb4dd6d6cdb8e044bb0a7de90197554ea461f15b4e3e630

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5f63d0bd3205c8bf909e4b65f753f4b3

SHA1
b0e0c6d530532f8ba70d362f4a1e2164207b6a42

SHA256
0b787b3f7b06f3072b83e9e28d3118661fc73c23b8aafff2f1b76a45571df0f4

SHA512
e4a39e18be4b3f0fadb2c6080d18dab4e79170f5feaaf23c82c6882dce739be040a04a63761dd9e59647f8110a116a6a76f37162737996e2e66852010f1ac752

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b5d5bda051eebeb11e7fe0e1f8ce37e0

SHA1
aa4af57df912b82bd032e427814630a3cf56174d

SHA256
4245936b6fede979098c8c8f6c7c57bb872cc56953e5962e1e5a2ea578210d3a

SHA512
40f65f9026866f3bf56e5709a5ec012b1e648cbd27d2039c783f521f7e15339882017a7fcb210165d71556db35e34414be977efd8cf2dc33f2a910808a13666d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
96eef0eeff0fdb258e6d8cbc3b15d60a

SHA1
0ea9586286067ea9db246a5a224c4f8fba47195f

SHA256
262d67f22a0fbb1f50f7b071952b1ea87e1d1a37f8d4ab2422d723ace58077be

SHA512
0e1d23b5766ae358f420691e69e622200f67cd0f1868462ad6ed7876ce7aed380659e9be08685a2de3e9ab3ea4ee6fb3e5482fee51d4580543c43b35760226e6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0212c871fdf20c9804b03b8e1ed3bfdb

SHA1
4731dc4942c4c87f712203f1bbb6304fa92bad16

SHA256
226debbe2c007dacf7f5dfca5c2691cdd11cc0b109e501222f07fc0ea6d3195a

SHA512
3e5390f1164020e033b35a33869a25532f4fd963b7531e59ab21f9a5a3690a19ba519568d33618b9d525043aaeeae43e3e168c04003614b46736794cdf4a16a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
50f3852fbfe7baadf4e33969e043fc15

SHA1
e99dede67da987a9f75f9f5031d6fc8c6b237aa7

SHA256
a9ded0c7cecbbea8991e378bac80083148f17d78fcd640ad51892444043c9b8c

SHA512
0a19ac735054b41f4e3f9fa46241bf7bcb4e48351771295a3f02cf13ccece1fe167ec08053a43161fc808416cabe833b9d0c4366765f33bc7282e95cd3c51486

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b44eee8925e5b69c8830ecb5e7bb3119

SHA1
db314602ef0a9251c2f25cbaa0de23521009c90b

SHA256
99ed140657247294667d8eb97865e8cd03a8e871e1b5daf5f7f92ff9c6da9770

SHA512
ad2638eb54ab13ec9acb013fd7a19e11a87b07878eb78c86471cb4774c38335133b3514c1196f635b4a74ad6eef7a49043ca1031d817639e9e11ccd69785900c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
89f0a9af37eb851bc56057e9e6778a2a

SHA1
e310c593254cca4f0f32e63419f113d2e4e84152

SHA256
e2006c15cc7418227e5a2089321cdc9e59706d7898a548bf1eee26289d62cb28

SHA512
b276f3a2ea11ed20a1dcb01c1300627702eaa2bc71c8a974188bdb777c1d739f8dd87e31b8a2be821dafb2f948df6858651e5348a71b20bd7aac6ab545135dba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1ab75ae9c0c6513da446b7cc14d9114e

SHA1
58ebaecacbacc53c6ff0c01c842bc2c2eda146c2

SHA256
9b0a4e5b861896951da7e5ee7c9440177fe0f1e496acb125c12e3b6bb7841954

SHA512
f530a6d6fd998aab0a1518d9e5472167a48ce6b7b77584feb60deccb7c2257ce96d43f9c6930f7d62f50e2c0933b8e317f1e38e772c7acdbf811c0959597bf2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
cf86e6cdb1907a4e466c8aa05e6ee390

SHA1
fae9d47010444511f5cd962f47c352c72c18b0fa

SHA256
cb2154c3e94e2e5c1e5c0f577ae622b4dc22773ee2fe42b39418a644e8001034

SHA512
73a737dae2f221b0bc062e821bc8c5d5ad00aee5de94d13166c9498c4665822405ab62d6e667337199c4b0fcce9ef2cc93041c99465c68db47d42dcdae7e54eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
c2c947b80d498a653c6c0ca5c92748f7

SHA1
132a14b82d43627dc09ca4aea7067d356e31951c

SHA256
ae741855cc840ba5245a767aa1bca90070c19f5123e99f4f52b26ff2f14b2897

SHA512
8ef35033f3edf452bf0c5bc30a716a10c16c34b432149c80a807a88851fd74befc7dfb6a04e31aa03958090b11585cecdb5a076cf40c0158de320fc1c79f1e83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4819b59d6b6cf17a7ce3e77d9776e39e

SHA1
8ba474654d6f76ed0a8722c4fdaf7f27386821ae

SHA256
dabe1c08e49659c1b10b8c052ee0523f82fe5d21e45b1f6d4bbc9a48b22d42bf

SHA512
46402fa69b4981d46e43e5aa54623560edd1fa7a91967bbb6d8839b455e0ec99d1dddd857b30ea2b191feadb31fa037ecf9209771cbad202d152e913a6f1d9c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b5973dd7ab080a829b91e5fcd8981eb7

SHA1
16bace261646cf4f45f065a4559bcb1087786865

SHA256
c21dc70ce7f08fbdff84338c6ff5c3107634cb8f1efa3b592a87c32ed32c6583

SHA512
d6ceeda3636a84055b5b83d78d2bac1a8adc7b91653fec8b0a42844217b574e682b6bb9fcffcb3bc897f440a72a1aa95c4dc874ed6902271a0cfa2dc5888ef6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
16b76626a8d015ba62effa0b21c6768f

SHA1
140cdb3608505fa0ebc8b7085398db71e3e0b53b

SHA256
9e18d68729a4f5950ff210a0e7233f6ca11b84bfc595f253be992106006867d3

SHA512
19fed60e6a918eb239144b3d031bc7f08ab9bd3111e063e7034694635de6710f27e2e95c74488694ef56ce6425ece12e48a6af917320b135a4981a3bb4a82fa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7839d8202c3d89e6153ec5f9ec043bb3

SHA1
9bc2c9f7c6688c8375792358ae2da4eeef71ba9b

SHA256
a3cf5bb7880ebc9df7834b8349af06dd6f91afb715770feff90a8606a44500c3

SHA512
389950d5b641d287f64947a432d94364f98302f1de882ad3f3ef106886e52b23d7fb6f7dbf25e62efa5e3936388fe07ab8baa91f10d18d05ac21a1dceebbb7f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
aa942ea4cb4850751f3321330fb80e9d

SHA1
8faba5f4565222faba2fadfce7934cbc8cb7063e

SHA256
85d5ee5568ba0cd420cc50758e4678d9525f40a4ee6e742ec17226bfc2d07ee0

SHA512
5d79049929d1300b03737a4c95e9bb137ceb41f83f47ff63143c2dfe718a134caeb79d00a04d8c6972af7a2bbad224319437daad4438855fbaab9242f3f2a3ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
53fdcb000b11db78fcf9551fc5d3bc92

SHA1
a402f8a8bffb18aa342cbe92cd5191b1a83b182d

SHA256
f2a6754763d3e1f11ee1d5c22790b325bc57056c4b278980f4f0dc9f8e99a87b

SHA512
22430b5f937f6e90923b3ebc9ce175f4742768f44211d6f2f4f721fc5bd2af801522cae89a896a3e302213c106294c8b8cbc6108071d43ffd409f4670bc44d6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c5142fedc8d387f2447c64ae64105334

SHA1
7311e96ce296c28bb6246d9af956609c1a77ebcc

SHA256
e926d56403eec39d77b58f765be856340a5a88bb8c6ca0f62bb0c23cfdc4f646

SHA512
59773d09c093de0964f78c5d89a0a986de35ac2df8db1220ce200db8afddfa36964a38df46230586b6cf09b7be8f1946dc00fb57eff367e163a6ab7ae62255ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
50a7241a2437010a147abfb0d8cec94f

SHA1
4949b99eca857f818c23b85a0e3923a8c6cec780

SHA256
1e1e93ff44ba206d3b311e8ee49ccf18ba7ce662a6456312b5d00431996bf5c5

SHA512
0402b86156c6c381b5d0be06264fcace826e856a81f468d8dacfe108252eee14177a292fae1637c82860692c33f3797711ef15888d35ed0d4383b14b7f3cb033

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0db55367844e52c548d7305ede2556e2

SHA1
76b47ee0eb4f428d8791909871ed78d6de85a580

SHA256
e66b26a75b2f8c2421f0371414b186daf3d3f5742bc65cdb80f8e1e3ae9c789e

SHA512
d416d7c1f3743973ea47cb9ea25e47fecc29767cad57f38e91999a79baab22c6aa0c52985d97b35ed13103c90cc0ac0539db693cad78477b5c367858a110b8d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
01be5873fa055996fd32539d96d02536

SHA1
9b7b0285d6db59609a20c74c189dd886b060155d

SHA256
f32ed0b2f23f9407a578f207b5eca3667ab6de14ad5d4f208ea118d67f0d8210

SHA512
a87f2ac2a079a133468172c1b852258cce2bac392028a27936939eaad0bd7c55fdca7873a33706ccf04b5c9b16a406be76d660ba64b8d3766448a18e36077b56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
e14d34967cbdaef341e161612a90e3a0

SHA1
66af8f90f3770b6a4b9ee655ba77e7eaacb80877

SHA256
6b6209c1a14cbef6c2d083168bc61de25ac362119a1e7f0424e08145c4a8b337

SHA512
de805a4bfef3c91e534975a440e6a3541d97ace60c3665f5de4e2494e1166793e2f73be85d0e91f19589a7648350d43f4def4654817180feaac5361d9aa46f59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
38636e49f4ae808777de80cad2d01bd7

SHA1
546be32a2184093a3eef85c3b8fab92c4eecb3f1

SHA256
fe6997ae9086d50d6dd51b49a276c5b1cfc7a2f2bbd1d791037f6f9878637ab8

SHA512
58b8e39c57df272b76a608d344fdcd48f7585169b8672de9a3918b6ce499420f372be8fe3e0e877558eb31ee29467a7e980c3e0f2e908666497e927964e5cae2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5fd68ab698e9730d14c925df0f3f3f59

SHA1
00f251051e7d259d1a0a896c8b6a89cb5ac20461

SHA256
838d4b4c2cd257185ff69bbd6b2752c9b8f30cdc4e27bdc4b0e276be3924d420

SHA512
3570516a0a8fca6aef09cc530938d4d4a2ad7bb5ac5122805a0e410ccb1ceefb893684c5898b1eedb00629a1dc36fa5618f9767f9ca8c08268ffd88c5dd7e342

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
edcb500df52dfa123e578155d7ba32c5

SHA1
ddbc705cea6bd4390aa999e3b2e9207f7e8825f9

SHA256
1cae93860372378ca60e5385f29dbfca42e151783c6dfd0cee22eb1ad5add5f0

SHA512
c1d302a236cc7935956c60a6be98d645673d9836fc1b9fd5141d9448104a7026e08d79c64596287f827c76b27fd68aa53c7ee7c6c636ef9f8586bd84b68d5575

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
764304eb382dcb95271a7564dfe21e10

SHA1
66e4741eada960087da74fce7dab889bc26744b4

SHA256
5d3fb788160f8fbb82408a658dcf3cb40673543bd9abadd8267063d13749c137

SHA512
1eb25f3961bd992f9a614cf844e11e778174c97e3d62d351031231d560ad26956142db0079a37bd2d5dda68acb68f6b345147c87a0b4613559b14d25dc0bcd19

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
83755e758b8853af1fa0669cec2f7c78

SHA1
dc094ed23e7dc820f3ef191bc0697365079bc995

SHA256
2efae90b992cae76e28c37336d811635043ed563b2229957be9c7c3a8f5ea026

SHA512
acc2122611bb7bc99d5143950bb1b16b7e57dead400b516d905f7c92cc90ccb2117b2415fb68a4188b8909700f11b225d092883c5ad5885e61d64368c691c52a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
8936d784d6dec2c109756c2c4795eb33

SHA1
d175c9624cd5dd9c07dedb6d968901f48539d979

SHA256
1f5f3385a46d03465ff0deceed8d0e7335b7a58a55fb805806ba245cbd03e824

SHA512
36f18d95d81298b167e405e08a67aa4c3c4c272800429712cd58948f76b56439c61025b8d264021997a44958a41d3f0a73ea6ea86414f7e8f405088a9dc4b85c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1caaf38ec7281a8d8288e690462204d4

SHA1
6ba24a9f0402f5c7ddb477eb779ae9273d7e2aba

SHA256
01eb30235b0eaad4dde1d9e75a1bea29f76dc08c9d6eddf5f21d4b7c475c9ef3

SHA512
2c7f8036c265fee27b296556913d502cc5570f64e7e9690eeed5e94b8685617db7d68caedbefd65dea155aaa422cc8ee5ba20d4126a077ab77937692bf93e7d3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
38bbf68d29dd21d49d6bf62eca936266

SHA1
d5485143f445c910e19c6dfd7564720cc71d0768

SHA256
ebd6ca9246c58233b31fdb3e7b07387af8dc7fa02d5bc2aae6aa66ec53546c1d

SHA512
41a77e1428079caeb647cc54880723ddf1ce14e561cf97d27a130ca3bc10612c948fb3cecd26813d596027eeb8a6ef41642469714e82dbf1c06b1aea2180303d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2777df019f7bdf0785738df1736f0024

SHA1
765fa1eb49ca35b4fecfc84e0505e7f651cc1083

SHA256
21df1e1430fdf39230a70236176f706f9c10d16df70162e44caab3188fb9045c

SHA512
bc6d005e4c127d53b5c7d2d674d8a731b16e3a31c0d19e80fedc3807e3c28c58e41dac7aaa6025b25ef3791761aa97eb935c82b3112b5567b196fb7524a80b39

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f8aa9bfeb4c999b6fd95b7520a984b76

SHA1
fb2b08330b72851b8145ab4a9cc2772c0e130eec

SHA256
9d047e30a9892733a56acebd68817c4e03f88a6c7fe9c1ad76030930779a6e02

SHA512
1638dafaa795c08124b9357e761492313ca9e7f180c04e54bfdbc0ec756e5ffbd83facdd63731113ec465adc7ca0142bd1c5ed80db787ea50591a8e4526d1cd3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b7961642dd84b3fec02775815402f5ff

SHA1
70647d370431af1dd1f5003de5f88b4b1bd1fe3d

SHA256
7874d2b05f8b734f10f6f66cde51cbe1b1b99267d409838d67be0ad47faa6e67

SHA512
a4af1f4248c0c88e7411d1b5f770cf6b0f9dd93ec9582729294a36c370a5a192ce2ce3c6b28be807087b4960c7159423339d966af1fff17beeba665b3ae987eb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
598262fc2f1e4978934da63fd4c0218c

SHA1
5f7ed89d55fb52e33bad4ddafafc8a2ef6c4a538

SHA256
997a2fed578b5b7159bbfd1669c9ad0a4c0aea58d6952b559eb367dbeba65b2d

SHA512
a205a7be0b21cc4f4d76fc01a1a914700b9319387968daec005dd07a6411c5ba08e67702717e2691befa72435b366fd6ea0dd677090062d8b10b9cecc1b95eec

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6634d408b2aea406e910a49070baea34

SHA1
81545c502d0adf74795ea792e476699b5991296d

SHA256
591097020a4a157ee2a8bae7b5044e25c4b7fabf4d54869a5054a488304b7c5a

SHA512
ad5242913e0c6170371be1414cb66b32b08198b72bd1172a869be927313bbce0a9c12fd7b80341900736d8b68d17ee4a65664c8accb5f089b742e8031ca1c292

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fa0043e14962217ff2bb46b6cc48f254

SHA1
7a71d038aae6cdd695a4aefe0fa548633f9d2771

SHA256
5e311424d17537ec96e34df31d93e653441a312568d23a0f0a95a4c10a0fa093

SHA512
fc25cdd6dab41c0be793e5a09abd2a9cf43d015a8cb62e257db5368152f15092d1a4a4a7bec266aca225287d68b6cc9560018e50bec9cf1649f393fce33dd95e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
105246fc0343efbf7ee3dc46c38319d5

SHA1
2a9a751022cf2c890c2e1b7885175520e76ccc04

SHA256
88ce27b44643728db09b6b9550da29f8a9464d69374a87205117f686eedb029e

SHA512
1d0653fbc22813ed49f8ef61af2ddc8b04e8a5b683d8f95f4c528a584107e5cf2bbf942f95cc16e7b7b8c9eec5d3f23bafea99495aeb4993b64b84ba87ce7c2d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
228aecd200565812763c4ded80cff5c8

SHA1
996e9a332c37639ef20d749d1bd2ef30b3bfe10a

SHA256
75b9c04dc1e54cd36519cd66b1bc9203f995bd83e86b174a361abc8d0463c74c

SHA512
74cc83b00051795031e23b5376ed74f6dfed095510d92f14a8cfb1bc0a11d92309a09cdb288dc4102878c78de787e2dd3b3401afc12aa9c839338ce021be212f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2cc827174321c6a5ddcd97dd7d699955

SHA1
258e04f9db6f9966f856fc10a087603160e87c01

SHA256
6241b9582af2a89fb5b08c165809f5a6e3d68fe021f2acab959c0c3f119ab2dc

SHA512
f5f4d342cfa33aa20a8e03e0f47670aa860d972f67b9c20a84b33c53941e56c39c1654e5a99d377cdcfee3ee27c6ca31cb581703f9b03ba66e146c99ac3531cc

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7532a0c48a0074025bc5da78fc7f6930

SHA1
f2aefe53cd443eabee3e18dbb8ee0a47963b6ba2

SHA256
6f15c8f98a096effe8780b57749eb5620fe5abdadce0e7ecb80930571b6a89a1

SHA512
c4fecdcb3a08c9b33b551376c1e41a34e91bc1550928571180cd1582b142bf27415058956522db101ac842ff34ca62fe4ecfc2c113c70d02efee616c2e7f5808

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
90210fcf79e704aa5d87f1d3f9933a3f

SHA1
b44c5cb75a3900317e88ed8af1be0f7e94946912

SHA256
dd61ab7be563c798ec8813635a1fb129bc1ec3b18f927762305695f915c418bc

SHA512
f5ce71e979bfbfad1f3090377b911b0264de9638fd251afebb07be8aca01779a9079f7c6047aba73f1eba168fd301521cdd78c1986794a73ba18abe08d7ff9b6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8dc2bed1c6831be366299c864bdd94f0

SHA1
c439163b66d7561c7df7cb29ece90835263c46d5

SHA256
ec39d9f2828e17d495729bba6d026d5abef5c71fbaa36d7ee6d0a270f7a8ee10

SHA512
d3f54dd82a133cc0cc588f328a304d1babb6b18433bca5f2097192e7b01ef4177a414bde4eaec035b12682468ed7ff0e896ce9ff19fb0fa62d82ae8ea7809087

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d717dd8ccb71c9f449a93012c388bec3

SHA1
e5e6b732c6feaee9067015ae712e54874bd56748

SHA256
c8d43673e3f9bdc348f478f43f24bbf8d42dc86d5d1e8c17f1d1f798f0ba4a19

SHA512
d504b9ebcf4a61bac5766ff19aa61267081d0e5528566a1889c5a253aeb81e4775c433de90d061665bb099e74be231238351b56921319f71a38eb4dec38f2ec1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a2c77d0c330e7a9c169dde9e1bd22a7b

SHA1
47d022be5078d050c36249263a60e7dfdd683d24

SHA256
793ea1b964be935d6b1068cd4982e82ad502ae498efb1226ce18f9ce788d23ca

SHA512
b882f8bede5391701421e8828049215c271a1942796da8329a809073dbb19056d15a5dcadb106b092aa55e572ef3ccaeba2c54d35d3dace256b672a573e191b1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5bd11f2869fb200fd3cf3a2f94704550

SHA1
9751d177ea938071974784a05b89b30bea6f5051

SHA256
5292635597548295d9c9a3276df057a8b5d02d85ce1ea698f344a9602d615c10

SHA512
ad9ba2dad8345c3ce05299497c23d2d9e8c763d8ed3edbeab908981e88547ba0181b1646aba1d69c300d5b82d4bda50598df0d43fd11cbacaf12a5a40e4254ac

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
affa534a2d31c8e546da07efda12b467

SHA1
f1c08d22ceb73d528f368834a1a80c85b62f34b3

SHA256
cb7b7314868dd2f22713d1e8aadcc903d47924c8d2e751e32c4b75a89b051e5b

SHA512
7ec47c55ccb0c20ef5f90773d47f20e28e4dc81ea035ce9bdf3f4ee29253c2a66d3ebb6b5572964c752d489c042039ea398562781d9e513007fb103e00add8a3

Download Submit
memory/532-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/532-565-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/636-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/636-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/984-20-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/984-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/984-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/984-11-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1116-143-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1116-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1132-566-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1132-230-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1520-471-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1520-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1684-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1684-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1820-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1820-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1820-48-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/1820-38-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/1820-44-0x0000000000A20000-0x0000000000A80000-memory.dmp

Filesize
384KB

Download
memory/2172-561-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2172-193-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2348-96-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2348-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2584-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2584-5-0x0000000003D90000-0x0000000003DF6000-memory.dmp

Filesize
408KB

Download
memory/2584-0-0x0000000003D90000-0x0000000003DF6000-memory.dmp

Filesize
408KB

Download
memory/2584-95-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2664-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2664-564-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2664-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2948-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2948-570-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3004-229-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3004-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3300-126-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3300-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3840-511-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3840-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4460-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4460-569-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4492-79-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4492-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-84-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4492-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4492-73-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4492-572-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4536-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4536-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4536-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4536-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4700-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4700-136-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4700-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4700-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4700-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4780-177-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4780-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4780-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4780-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4800-571-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4800-258-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download