1b721d127eff434216b6e044b1061a58c342a122f78c7028bf5b65312c320848

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
Size

24.3MB
MD5

1e48629b31125b924db08d56f20ebd01
SHA1

30c1e77e8ad0bd1d175cb09a2340a8fc4571d87e
SHA256

1b721d127eff434216b6e044b1061a58c342a122f78c7028bf5b65312c320848
SHA512

faac8b37b76d566b0a6cb9a8ba40d065e3dab26bbc40d0d1fff8ce6dfc0b4da3f5d6fd6dabcd94866fc130b2c5cb956bd10258cb51cb7aeeb59996c8112022d9
SSDEEP

196608:iP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018F17:iPboGX8a/jWWu3cI2D/cWcls1y

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3028	alg.exe
4780	DiagnosticsHub.StandardCollector.Service.exe
1708	fxssvc.exe
5088	elevation_service.exe
2616	elevation_service.exe
1116	maintenanceservice.exe
4300	msdtc.exe
2348	OSE.EXE
1088	PerceptionSimulationService.exe
2176	perfhost.exe
216	locator.exe
2308	SensorDataService.exe
4412	snmptrap.exe
3708	spectrum.exe
3668	ssh-agent.exe
1792	TieringEngineService.exe
4080	AgentService.exe
2856	vds.exe
220	vssvc.exe
4648	wbengine.exe
2088	WmiApSrv.exe
2244	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1edcf8a92844182.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cca36bd963ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011d6d4d663ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070a949d763ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f13fdd963ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015ecf5d963ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002786e5d663ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1708	fxssvc.exe
Token: SeRestorePrivilege	1792	TieringEngineService.exe
Token: SeManageVolumePrivilege	1792	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4080	AgentService.exe
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe
Token: SeBackupPrivilege	4648	wbengine.exe
Token: SeRestorePrivilege	4648	wbengine.exe
Token: SeSecurityPrivilege	4648	wbengine.exe
Token: 33	2244	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2244	SearchIndexer.exe
Token: SeDebugPrivilege	4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4696	2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3028	alg.exe
Token: SeDebugPrivilege	3028	alg.exe
Token: SeDebugPrivilege	3028	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1264	2244	SearchIndexer.exe	110
PID 2244 wrote to memory of 1264	2244	SearchIndexer.exe	110
PID 2244 wrote to memory of 4460	2244	SearchIndexer.exe	111
PID 2244 wrote to memory of 4460	2244	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-04_1e48629b31125b924db08d56f20ebd01_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3724

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4300

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2308

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3708

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4740

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eb11662054d4edd8fe38602c863ecd36

SHA1
8bea355d8a1f098d6a3a30a249807379b9d103ab

SHA256
abaa3487920373f246c8917ac86e463cb136a202300040dfa51b10f40a5337dd

SHA512
05089ce841cac11bd1775ecd6a596fa234aa786cc7dbb1282d657c8bfcf25ed2cb3070f0bf117dbda67574c5b0f847b378338da9e88ff8deeb402c1dc1c1860e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
29287074d6da1c7a1c84017c13cfa418

SHA1
d810559c42aebc8e696d748b4c4749bbaf4fc165

SHA256
ae57e7aaaa58ad38e68ab227d1b163cd26ff8846973ad90ab725e840f1465869

SHA512
53829e6c5d57afeb9527e7564e2045d872f2063c1fd69f5bba3183a4c11425c92d07b7d8898f779b00cda2b80a6c263830fded3abb97a3bd14835f2466d9fb91

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
34b8a5dbfc538863ab4563af01376247

SHA1
9c98347f087f77d066db52454d588359f6a1d58a

SHA256
c799b58003af1742cb93b9d35832ca3bc145ea13aa036696ea6611f0a06465a9

SHA512
4ccfe3b5cc2c0ad422e6e3397fbd0433a2760973c4884d300a198593b4091ffb1bd77a76b8549d5a158600e7c09d79be2382cd5ae216f270c8653411e5b0e1ea

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
24bdcc619bd8f972626e71a1b8981491

SHA1
947a435602e09a0a5d2ab7d48d85e19a69dfc9d1

SHA256
60e4cc2f0f5fe0e38f268fd1f299182c98d10713484ab18e64a9add26b9d895b

SHA512
32f3af5edb020e4e4af811a2b3e9bda9a4c9e2dc84a44da1b69e1b35f3ab1f7a34561e3ac1a387a357984cc3f2ebf635f97aec1fac232b2ca45276330bb7e3d9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
beed21463703e2facbba42dc4df1a85f

SHA1
770f56384e717c890f52d5aeb3296eff7e6899b8

SHA256
153ae8267424e8bb64db1f52a7990b52c7691a85f53c8c0f1fa889a1c3759278

SHA512
9703adc175598315c9e954424ea7b712de29ed10b051bf6d2ca9d47503d6f83ce1b9315a4464c73ad0dc964eb2ec8067d0e24f1a55176edf064db179f4e3f741

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ab39f43f2c219a0f8d45abeee2eef330

SHA1
2c0d2448f98f40e11d87621b41fa3323f0a6d94b

SHA256
d0436cda2409cd9e017ce9440e84caeecdc2f3d236e1088cd1e69e7115361ed4

SHA512
6eee851f61f49cc377422afd35233d82eccee4d0db8358e30caf6305ce55344f45b8b82981d7379f4d3d7e43ec3d341c253a94f3de9c80c15524fb705582c20d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
20034f94c4b05620f8dea85e81882999

SHA1
ef2861f4d294d79a8e21bfca74181e8439cbf29e

SHA256
2265d7ad6bb853fa549dc517b767a02803eba012f22a8b709b7dbc2e7e8432dc

SHA512
fe1954438a458d90015d0d6a9336d0567132aa2183862d396eaf2f96ab5a45e86a4e13139d2014a98e6af2450d0107b54fad79ec9cc511955eaba4945e0993b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6d7a8d332f1c8f59c2c8bca6e6f797f7

SHA1
6c01e7826df23c989aaf58ed63fb3d71aa5a504d

SHA256
377374fe298fb97dec7612a8266cc8dc5083d6ac6c7b83f0aae0f6d19df42600

SHA512
61942249fecc9793793975a627ae9b9f99c7662408b3dfb86ac3cd44de8fb2ba15f6cf8e83469c66af30eb70b9c9c4a56e5cb6fc01182e6c5064cace84249ba5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
739c782217c6e5bb4bfb5106f07eb434

SHA1
fe939f3a4f1a875ae427aaddf77ad407fb3323f2

SHA256
2022386a02fa0d24bcc3789d1bcd7020b8f4fce2ee1a5f7e7eaa198515a3d250

SHA512
8d4d7c28fc7da2eb9882439dc5d8b32740cb42377f2b712a3061241f4e361bd0340f82c0fe6c7176dbfd10299e8807899f7569b9f9fb55559258556d74ec2e89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b81baac6c6d23fbeeaa7d4c14104204b

SHA1
b6f92a4b0dcffd2f5c7a913917372d96156ea4aa

SHA256
6b48b08616522fad8f1e9e091955fc04ec3c2f94f2a5455b7a9deafb260c25a2

SHA512
2fac5a50f33bdedd328cad19da4cc703f89891c6784df42c63441808f0782a96dd0407c89c3210f18104d54a087f826d250502f88861ecd9c87011c23bdaf1e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c3f46695e742593b02ee8f03364d7d81

SHA1
dc0717c88b826e6e5c73be3d3cab35364f6979d2

SHA256
31f61938432dbf6a4b7b0bd260a5ecfc319b72b08a14a69df3b4ae87bf98a330

SHA512
c083e39aeff9bfeb171187a96582d7b31631129832e1d8a7221fcf382cb05d41197cc1c5dd8501cc8e987f6c23afee356c2cb348e73873409d643e7f6bfa9a37

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
071063c5a8aec712a624feae6df45ec8

SHA1
9d2a0619ee00f32e4d46069b0569203283f543f0

SHA256
ef512da7b38be7912b74fd6f85d61c62fdacef8f079f81ec7abbe38291088e76

SHA512
3e1b512de22d669b295c304043db3125de4fe9f56b6d2fa79bbbd2d250af22337c68faa866f5d0aaf6f19c65f619a77378ae214c5e2c3f439f5794392380250f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
393f44dd6b024f3ec2ce22e1dfb7768f

SHA1
1d97e182f2eef49c09b193d3b33dfc60fbd64f29

SHA256
d39ece40c6eecd672432443a78e58666df13077ac30dc8ae1e32223dc5f8fc8c

SHA512
882e17cba256a254ba187dac50009548e4e08e2a0bd0df3faac148153968316a8544028d5fbf6a3af41978d27ce29bdbe6b124f140766cd9ddb7a70897097c9a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ed14b315ee964b7ec2ffdcd27a151c38

SHA1
5e61f7528157ce3a7fa4cb1ab748594304ac8e3b

SHA256
f11ace12f464be6a0f247253d79a25a15d6ea90fd8da7c8ec322c47979ac487c

SHA512
02f8e5d78e5fcd11f2ddf7f838510d1e4d697ef4c7c26dcda566dc940ba4da61fdc3e44c346e07d4f11f21ae285f6fa62005e96cd660f7d574e8b4dc4ca1da0b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6aa17110031ea21a6ceeec7473abcbb4

SHA1
ae78c9742a117d540f0b0fd07c5470fc243258e2

SHA256
663c3380a7b551153e0f77c883a913be45b773306d543f50d8b920a01635b7ca

SHA512
c327fe79ee90dc95da840bb0f5508c680f84f3044c39faafcf07f4116859079a826a58591b64cdb94d14b14a4d6ac02f342beb844730cf2f11e19135f5c98210

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
6f638bf80af6b8c3762d655425163dae

SHA1
33938e6e2980430558e7f732ed89ffeb5a51233d

SHA256
86beabe3c7f522093ccbfe1bb9269af203c06a39306e31e272bdc68527dcf5f3

SHA512
6cbe981a251f0860ff1fab9724e50a8b7f358a661dd32cbdcac116c623625e7f637e77ee7e77d133dde0c97bb3eb7092432051457c327f905aadcfa6b42762e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
040daa5b5fd5765cd3ccbe8d4d874837

SHA1
948104be4583ea8b03f0136f1e75380157559d02

SHA256
f0b553de177f3f82954173390df9447cc38c9e16f26b7166f8c01e3f8624867b

SHA512
4c31791d9bd6de141911d31accabaa2b1389a8eab506d87011165e7e421cd217bbf9890ed225b274304bd4d6480989a12c525b5f8c68c51913b67e42971e2db8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
397c6154f7e33a4d599f40bd8ee84b61

SHA1
80fb5545764c17ff82266ec12fddd9a002286050

SHA256
e58984b75e01feb3ef6507a5bff98b1fdcaaea677b77cdfbad5459495b71060a

SHA512
ca21d4e38d3403ad74588763a386712e66ed3770d8cb741aee8c796a24bb381e43f6b9ece02e9bdc9d831268422f2247f8dae41c5191ae13f7dafc878e5d2b29

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
177f25a99052ad452efd01649b29c9af

SHA1
cbb5227336cba80c53d8dd55fbe040ffd34ba8fe

SHA256
5c2a99991ec917c6806e7e829f51c34f7168da651ee22cde37e8615a26283e3a

SHA512
a69fb1338bd9828663c146167cc8a3a67f6236b2e4546256de50384da3a780ab43278b1e20fc24aa9298d47d51b41b5e4220a6243c4b44aef6d2f8421da85c15

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f4199c066b50853f2d1aae23e4163987

SHA1
f33e861f5b1b73c1914bde12a4b20e346cfc478a

SHA256
f5087cb583a2fedf7e9eab35d52c46fcc934a0e99c048669f9021160c2f7527a

SHA512
537a4833d3d09865ba91c39b0e4286b995fd97efab7fb0d8447611f6a202a27a6f02fab06f9f4d2bae019cca591f5c033687d383d410803b8704cab2999c64dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e8598b3ecb4b73403abcfbf7fb7aed18

SHA1
24325495c9ccb3d7e13990d9259c2491d9eb0afa

SHA256
62ff0cf96092be4cf53500e18f9a11b35751616cf5ee1586d2242bb3c368a5e6

SHA512
d74937987411d339a385ff2c22db602e97f35a8e005cd94ae1130cdbabde77e0d61fdb4b98aaa20c2a912a09fbd8e67a5ca044d08f825a6127d938b35c92748b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
34c93a4a20dedee2fb0c08e648a8b8c5

SHA1
2a0cf89617d7843977e4df5e0ea07fbe24290579

SHA256
f830f4ee2d288984f74de423ee01d43774855ddee1f3e28be5d8e4e2eae69379

SHA512
594e65b0b329d6da1890192b71f74ff47c527d9cf600186033de5140d072116104010fb1f6c024778593c9eff6b483da87dd69fa078dbe8a4a8bc8c7e55f133b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
df1cce5473b7aca604de0487af9f6b79

SHA1
ddb0dcb054c6f6aef0754ca369dc97d9ed068254

SHA256
840f78c8adf5a5802d4bd88d2ca9d95f3f26765fb7dcc1ab67cd4b4ffaef4d1a

SHA512
91838497cbdaaa98813432821bf5784a5db62ce7985860e686ad62b172f8f1ac0259919c9401e988fd50267413efa58ebb7c3ab581d62575c9000b60165ce429

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5d78700b7332d6c80f4152fa49fe4508

SHA1
b4d789a45f3b2691b2165230edd6a64e72184e88

SHA256
b68f282b0f16a80defba9692ef22f345b9dda9dc73da0a2d1c01c63a7bbd48ba

SHA512
75a88bb4182e701a0f47766d70dbb937c0bd1919ba923309827e93191ecd42529753860d612577eb2edd77fb1af85f688fc751d1136942a468e465afcfcb2103

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
17b1853572eac58aff0f3fc139d79bcf

SHA1
b9847be4b1bded4b2c789c1c7d810d38f72cceb5

SHA256
2859db4297a155fa95d64395a4a3cc8e9d4f6834657b359744eb543c1187724b

SHA512
90d2f0145e7157b09d4c2bef23d3cf65096652ee8c59d65c63953bc415299435cf1f66db7bd8a27beaeaf3d0b7c9e6dbaecaef486532ba37bf28b7ae101a0541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
04dc2d63b6f9c127ba40aff33c96de17

SHA1
918546ec9df0586ae92a72292eee0dfea3469921

SHA256
28f860df0540169e2921a76df9fcc1d6375eaec13e9fd82b4de3698d5c131064

SHA512
f353c45cbaeeb47cc3dcc61d5aa29fac84e5a1fc08fdad2794c311e13f3886de952c004a2b9f4ce51cd02572e897d37b2a23d13cd61159e0b8020ac480bb09a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
affe1e8dcb5c1be757b0c3ad1796987f

SHA1
2874360aaad6b5c04c546bcaf69cce32bd493e90

SHA256
750e5706753a5e32a7858ca38140afafa85ef88c21084815df4422e4f6710d00

SHA512
d3cd71883fd1105eecd42feb61675b78a1b5b7acb62e117898f3981849b682422b5e843792eaba97f4779c0a0d058410ca57bf1e2b9feddf917ee397181c9902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f0a9862ab40897b4c9d13447043e2091

SHA1
94ccd3391955390d679b5be21d596c6116baddd2

SHA256
e40f4e489cba420971d9098287e4fac02b3650b451fce7fec2690fc7bd28fc9c

SHA512
39495ba557e13c0b66b1b9a1b01d21a6ba04769ca1c7d5ae7d8dfe2be9d15ef787eda27f02eafe1618603f93d289243b11cf7b2f28a8f8aa429d8a6f8d2c7886

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7ff3932bb3f4c1d6b2dfc43dfcd93b22

SHA1
492c7b02ade47bc35585e2cbe50187add7f16a50

SHA256
0c91fe889b39d054ea335bc09bcd622a8575ab05be1c894a79a94571f6ab193e

SHA512
f476d5974feb936a40158d016c1ee19a666876b0aa4ffec22eb528f2128b9652458c930342f333a1f18bbcc4e67b2f595aeac2bb3a71aef4d16887b19864e699

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
25d9de36c7e087cb450d4329d80d97f0

SHA1
8a9ed4eb3ccf7b6df59129085f76a530f3daa3f8

SHA256
cb2a1b5b61426832426115e78ce21ded1ab0aea6e72033d1b1a4f6d344211794

SHA512
d7ff15143be00ad15a093a0741320770d8a7e5313b09dc404f0e223a161a47161f406f4556bfab4f29b2b9181946c3784993ffab157a3cbad0af69ccf145dc6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
fc3eda6bcf4c2db0d4c0acfceff477ca

SHA1
e5fbc2d97eff6d5bf42279d7b4d2ab3ba4d3aabb

SHA256
88726257f37b36fdaba7382423bba90552c0242e53e00974ab4e5e04ec628e0f

SHA512
c42aa4127774660ed528103b768eb7fe1ebd6ee5a7f33db426c159ea62be710a2f6836a7eb6c01c64bf3797f60477505796c030ae0026ee2a60106222162a16f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7121ff81cec3e92775aa5f67547e065f

SHA1
a2e64cc3c304d4125fe0be8c7f72354877fb82e9

SHA256
13e24595dcbbeb617269e46e996f7daaac5a5448b136a33c19d6c46adb6416e9

SHA512
bf51e87711246badbf655954484a1cb047d22ae1ce4302a01d2ead467b4d2003623963c3a2e1f51910379bc08e476ca3f1d45c419f418b52469a08fc76fd489e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b0f9084b5e728b83e16a9ba329f4e9b1

SHA1
3006253ad1e807edef8e9feeb72f7f4dfa4bfe4a

SHA256
9dbfc89f8c6de94f6fc0596b575757783e9e6ce33e4764edfc1bd23bccbb2db8

SHA512
fe4db9f4d7afd3612b29b70512432ecd3297c967501e5b60261b058d6b202cb1f1c2ae03b089c231bf5bfa47857832c74e5365fccc4f3ec10d0be91c6ec9f87b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
896e14a1ac9ec67d8a001babd9df9a10

SHA1
579b92df6c00975ac6c5cff2595b5aee76f118d9

SHA256
960455fdc8b76694224b0d2d37696341d57c1c66ab89d4c0cfb5eeaf0a97df1e

SHA512
99f05e24cdb43226099687c350330198900b304d4c96d765cdd2f37c0c1a5b6e27beb1e381f1bd353b7d24ec815c8ba345bb61aefa1228f84ca665d01e5cd13b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0017cbf19eed18a04526fa23b1a1221e

SHA1
c99c8c6f47601f71d5ce99fd7435d074280cfd99

SHA256
d1748807261d236b893f1bc011f555a61d692b6deba44273a5c4fcc562ae0f9e

SHA512
3400616e2a79dceb04a806af316fe532a0136a2956005e3f85035b1901e194b2e279301337fe2d967c3637207e43e5ec89c28401422ff60f167d9a201c2af892

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9949e8aa97ea46fc28ab201ada28127f

SHA1
18dd57d32d75655d02cc6d04a0043f5508399cfc

SHA256
6e02e25a4401f2d61044de6aed490418e27c037a3b316f8e7758d3c59a2f455f

SHA512
3b10d69ebd0c7efb5bed303818b7b35593e11c5fc01f806a90c804def859792487c1792cc66e4bbac0a520635ea0bc2aaa049ab60d60b98768519e4c58c8cd45

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6cd437beb3a588a2b1c6ca97c9f66107

SHA1
9b8a6c2d425ced036684afa396d1a233a5b5dc07

SHA256
f51f586ac8b96d33545f527d69aae9f9a5195c434ec30b06d8b835b2e729592d

SHA512
88b4d1227fb7b4c571ae3688d039dfd5d8bf429413a23cd4a80dc6ce0273c1d149d79eb2a25eeffa87c8c40fa64a02af66e25fb77041b9fa52ad0a7b0986d431

Download Submit
C:\Users\Admin\.node_repl_history

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
be41b60f40c4e8efa7b25a09b52d06d4

SHA1
089970293e4d0d4206800ece54f985dc2dd46dad

SHA256
1a2135b058fed6bfa340865e912c5b7f41431b22efb9783008735375e5d95de9

SHA512
9a834af284b8c8df3b0bada62ee2827e5e996c3ab59a4d8d1e177ff55e3930a39e901c8b1466abc200ca0e1c2ea083fa4e69dbdd4be19a5a64fe0be09b566303

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
09fdb5c907d1930cc2e0ff5df370f5a0

SHA1
d6b0f7cbdbb32e71cf4b0bafb5ee0449015da064

SHA256
a662d4cae54832b9aa15d1f5f6bb2b21eba9ba9c8938d2f2d65992f3754d951a

SHA512
baf8153921f68480e98a7a4e5f73205b673461e78fc28cc4344a58c695a0bff8f144064460bb229fb495da1c1b06d6f169df3ff82bfdb8e1ee4ee6cf210fa522

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
471cdb0dd31f65ff82fbf0b0d4b50c1d

SHA1
77c3f41add0bc280e23d03e389103286e5cf1a14

SHA256
67f86e777da6e45d468926f5c8ecfec42b96570a792d1d706cf01dd4840a2241

SHA512
c0f078142ce7f5bf7da66f9ce1c29f90e5939b280ee1886901e2767345228b889a035768e63e68625c472b690c91cbe56edafa18a1fc268239c2ac4ffe075460

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1647c45f5c5bd4000c107d66918efe70

SHA1
9c5b0b4c4149667f71acbbcb8a3a56b2239f265f

SHA256
320a0f51497b51a0b41e334b3c6d95ecbec4855574d58340cf7e641dd0cbfa00

SHA512
ef5a50963e58898d76940bc7ed6587392e24b0ebb4403cfa11b3f75738bef6a6e9d77d0d3798df68a4b41e0595926c5caa531756e4f2d9a38d68f8faf6f06a1c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
98e9f4eb0da2a84caf55f60cb96fdea0

SHA1
eccda8de75ba5973499e8d7da597971568741dc0

SHA256
b9b92710bf35151eb570ff307684d8539f99e3cee7e1340284f63147d2816985

SHA512
6024f4d35bd7ca5d988dc1ca230118e2b10521c2467fa8a14a5665abe48643b9179e54e02e4f1c2e1f6eecc148dcd49f65332bbb611a740c3eb32d4a6a464116

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f7c4b0aa4cfd45161e891d906500f04d

SHA1
5273b6f2a5de7478d143c74a552331e58c217949

SHA256
c38517b7c220aa03eef554c841bc115a7d2c3bf95751b0ca731c8678abfbeb48

SHA512
91de21f623aeb7b38e833a6ad98bb369f97d66ec96d154ce1cade7c085fb8cb8b416f8b103ff5f89df7132dc9efd197fd69605434ebce660b29f4a4936192c1a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f628996076d44ff6d1dcb88c36f5832b

SHA1
3e89e25bee80ed6e38e728336c492ab50a5bc162

SHA256
4fc12a7504e94c204440af41dc5c32c0eb9e944c0304ea18ae956d80cc3fb338

SHA512
9b3f825bc42d4989ee3ab881ccd92551e5de285ff1ef23650f5ccb22e647c55c7307f2708a2711a4ef141affd18400abfe7d5394dcc9f2bc77b3a0ece04fb777

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c8c0df17a04b0129be8a549d89150fb9

SHA1
6b5d9627255811a3c34cd022d3083456738b5971

SHA256
145d3b2035a13f040058415958e3351404a175fd892cf1a602dc082f8ce0823d

SHA512
57317d92cfa4ebfe2216d9ea0c292efae4e987005c072e4b78647ebc1d92c1da0c8dbfebe2e31f336eed6a602a7c24e59de9e135714eff7c5383b693bab8c089

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9870c08bc50d1de64598c371d82074bd

SHA1
ad851992a672474f6993537ce1375086fb5f0514

SHA256
39cdc266728f1035f6c25e0171806661891eb341dea82f08d49b676640793cf9

SHA512
5224f5a9b2fe746b3807f1c696d7b811f0747d4373d654c8474143d6e576e5131d678d9edb63d04325db39d70a7faf3fc1b5c497fccae09fa9d50deb81f58cca

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9853557208e441015f50826ca984b154

SHA1
65f48b61d06b30cb9a976712c093326782e13715

SHA256
4a954ac4d95af2b548c5255c8b0a3f453577e0a6055dacbb51e85b18fda52cd4

SHA512
e112a6a37bc406e82c1cc2b834b7b99eecced5d86fedecc1c9f3850c5d996a8a93b967172f677d100d13c402926afbfa39e146d11ecd98d5611905ee397d64c8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
eececd608d2eccb3b5484f57da9638e4

SHA1
e578c81102cec864b5cc213b524ee424add892cc

SHA256
033cb16cc7b2afe456122e2158aec4355572fcebea547520f1dea255da8422cf

SHA512
9eeee9f1b6324f73c628d250336e990968c6e4310a88308af762091c7ca642ea67bb9c93b2434f61386059042e6ecb4ab6264d885d677cb030be1c7a93dfcda4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b32aada51a8f146509aaa7c596fda3d3

SHA1
1469c649d37ea823eec4547eaa845ddd3709eb52

SHA256
24283122655f31af98301a67ece7e5442a174445207d468db3ebdbaca13af5a3

SHA512
1eb68e07fbfa0bd22ad076e12def7c8157b09c8a0ce89bd9263fc91d81c26429e74b806e830d5d09221e32a457b634e481b9b5eda5702ed30b33da7b6b950eb9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ea42e35bf90cf2b4f8161ad7eae89495

SHA1
4ac7ef262bfd4b6c6b3ba5f971f915afaa6fec90

SHA256
aa3d2324aff3c4d9debf83afa8f1cee79be353e9f5445d4c22fbf3266b3e1114

SHA512
6431fd47666de3190895bbc356724cb1d92a3d48af84e899f2607cfba4db8a391d178f37158610713b93d862ca763ee3d4b00dd978b9cbb159cf3127c2d3be63

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
648782746ffda33964eb191914d97193

SHA1
bed5baaff0488db908c949fe950572a9a99636c6

SHA256
b5ba0c98bf741bd27dd7396cc3c70f570b23cb30617b2f4402b5b04ebd614bde

SHA512
0841ffcb626a2c788f9f651699c57d1ce08abca67e9511f16c7cbb8683159788bad0f243f1e4c2558dad5cf00efcc067b8f25e4b179157eb2c6c9b7dd3e5d706

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
04ea4364ac78e14cd1c0416fada446b3

SHA1
e90a9531b41b67d6a79fe2e3703521b69d924d90

SHA256
d596ff274e35a9dc022a889f7d51d93d4c156e8962e332566690a8f0c4b81a6b

SHA512
aecbad22f532f607c4d708b1f04dcc7ba7c9a1be7f61cdf1a8341fd619aca1220b00d09adc07dd7045010886360d77fd104190bea14b75a81e408173c0af0462

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0491030dc88e33ce98bbec5fd7599270

SHA1
24591e3c1739c065540254c2e81b7b76c434146f

SHA256
fc0bbd672acf1282ce8aa5e6d50a5f6646870d073d2d62a5ca550a37c2de22d8

SHA512
4dc0f825b6a09f359b1ade8261e8a3d7684f68f6ec95cf0306bf8746518e7eb72fa1d23e18ee6ed32a0c0654f129bd103616068c31bcf4a02cb6fa8d04251c8c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e4909f4fc6de2fa3ee95ec8004909c17

SHA1
d7cac49a899f380ce5cf7c565b7f0c248a33a984

SHA256
f3d92d31eb22108fd18ac70aeebc76bbae6ae6fdf4b24c80065ed6da2356be70

SHA512
606a077a2cb61e16bcf374a674e220dad6b8ba8ce9dd3bae34344dc89317a2317a71c388aa6656af74bed3933d84ed6aee7b11e6d8972245acaef2c04b1eea3d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cca922b01226b46162fd93c89eb8169c

SHA1
42876db1b64a180e5538079ea259ecedfa9fae51

SHA256
ffb3b2c863b9eecae853c3b2a9ace802b4fd5f5f08beae38d184011b33028eaa

SHA512
61f6114f6900575d057b02095af5bc53095bfce698cbb350a2b5b893cb4e28963970db9693a6c2e99c4d675dedb86397acb32a851b2e256f13f37f7d031d6a93

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5888976a94842e32cdb63a326f83e81f

SHA1
3e784687504a81947f4d969c437745729b825482

SHA256
d1cb3784bcf910b32fb16bb5b378214ee90a0e875f4b9cdc544a0740f714c0b3

SHA512
6fc66dfec14d7d5b7d8e33c9ecf32b45b6edc80b8d318cd4c468fd19e73df72a1b9a01f43f34cf2b0a1d3d6f125bfdc4e809e3d04d365d867ec8e4ad320d3125

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
adef341b3be0328a20e8c0bdcd0fa1b8

SHA1
7e1ed9665e331b5ea8edb1337f8451da5fe3b922

SHA256
432f0c8ecf9f9067e61a2249d225b92b4357cb780e6c94844dd6211350eba4bc

SHA512
83b030963fbdbf569c2fc961ab11d327265f5480f41aba500b66975c301a23381649c13c3e52fa88927270d2fa8162f555713c81d4f07fdd3863318aab4448c9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
86c9fddc48fc14d2b7d009545946caaf

SHA1
fd786b158b22f8054e30a2a34981ca104e92e7f3

SHA256
4278a6807d89c9697c43ca4c215e1dbcbcbb64b78adaeac38973a607c583b2e2

SHA512
e8fdbcc3b0adbe949f40618ea271c4c15ef0375752dd3377b61db1aebf1542426c804acef1ab24e0c39c429a0627c67161c408832c1db6317052504ba35e7307

Download Submit
memory/216-146-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/220-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/220-225-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1088-145-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1116-83-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1116-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1116-78-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1116-72-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1708-47-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1708-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1708-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1708-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1708-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1792-598-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1792-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2088-604-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2088-256-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2176-148-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2244-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2244-605-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2308-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2308-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2308-247-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2348-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2348-119-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2616-195-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2616-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2616-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2616-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2856-213-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2856-599-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3028-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3028-20-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3028-144-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3028-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3668-580-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3668-175-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3708-508-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3708-163-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4080-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4080-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4300-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4300-87-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4412-424-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4412-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4648-603-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4648-236-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4696-96-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4696-0-0x0000000003DA0000-0x0000000003E07000-memory.dmp

Filesize
412KB

Download
memory/4696-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4696-5-0x0000000003DA0000-0x0000000003E07000-memory.dmp

Filesize
412KB

Download
memory/4780-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4780-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4780-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5088-51-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5088-194-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5088-57-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5088-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download