fa6eb61ad76dc8550bd4940912fa93d8a288d4fa516cdc6ae5c0943227adf28d

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
Size

24.3MB
MD5

0f6271e741c2e35567e864948c8f6b3c
SHA1

09e91f7488a4fe00a2467a13c820ad4638059ed8
SHA256

fa6eb61ad76dc8550bd4940912fa93d8a288d4fa516cdc6ae5c0943227adf28d
SHA512

338f8e7624f5d9038a1aa3c2ab6aff2a57c87f8bddc2030754f1c36888561360842638750fb57705d9986a60b785d7eda56798af4b594e45d5d0ed43ddb2ea56
SSDEEP

196608:DP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpqH2SAmGcWqnlv018FnW9:DPboGX8a/jWWu3cx2D/cWcls1C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2496	alg.exe
2852	DiagnosticsHub.StandardCollector.Service.exe
3452	fxssvc.exe
4324	elevation_service.exe
2520	elevation_service.exe
3952	maintenanceservice.exe
4432	msdtc.exe
2560	OSE.EXE
2404	PerceptionSimulationService.exe
1924	perfhost.exe
2956	locator.exe
3692	SensorDataService.exe
4936	snmptrap.exe
1932	spectrum.exe
3940	ssh-agent.exe
4372	TieringEngineService.exe
1056	AgentService.exe
4920	vds.exe
3656	vssvc.exe
2388	wbengine.exe
5088	WmiApSrv.exe
3716	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1dfe661492844182.bin	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085950508b0ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013fd8b07b0ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e483206b0ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027e23208b0ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc1b4d08b0ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3f39f06b0ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ed70b09b0ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061a37508b0ceda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cbf2806b0ceda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3452	fxssvc.exe
Token: SeRestorePrivilege	4372	TieringEngineService.exe
Token: SeManageVolumePrivilege	4372	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1056	AgentService.exe
Token: SeBackupPrivilege	3656	vssvc.exe
Token: SeRestorePrivilege	3656	vssvc.exe
Token: SeAuditPrivilege	3656	vssvc.exe
Token: SeBackupPrivilege	2388	wbengine.exe
Token: SeRestorePrivilege	2388	wbengine.exe
Token: SeSecurityPrivilege	2388	wbengine.exe
Token: 33	3716	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3716	SearchIndexer.exe
Token: SeDebugPrivilege	2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2800	2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	2496	alg.exe
Token: SeDebugPrivilege	2496	alg.exe
Token: SeDebugPrivilege	2496	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 3492	3716	SearchIndexer.exe	110
PID 3716 wrote to memory of 3492	3716	SearchIndexer.exe	110
PID 3716 wrote to memory of 1864	3716	SearchIndexer.exe	111
PID 3716 wrote to memory of 1864	3716	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_0f6271e741c2e35567e864948c8f6b3c_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3368

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4432

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1932

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3024

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3492
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1d438c2011d698009915d5875217393a

SHA1
ca6f6cb4418c50bc1a540c9fcb51c1809dc05f0f

SHA256
5d3b3eca0a9f99f7df0caae38b584b98963fa414bf98225bc034650e49d29b1c

SHA512
b438a0154a41f74e02e5d06ebd7af6ed6c4e6b962424e5e2e8b75736a752bc0615701767e0f3cb5e4af7f65c03e01e80abb40f9b39f230a3683aa8d43132079d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
d39f77766362ca2e4254ce8fdcbbddc3

SHA1
d00be5f51d3d2b277fa6aeb0a21b55c1ca347d0f

SHA256
616701551f64ebc52101c8e0b693e955d76349e5f5c352bea4718d7a646bd027

SHA512
5e94570d67e03554ab0bcbfd40df5b8a6c1cd0354c4851592c06c6e0b75a97ce7c28607ddb957e2e93ce5e19a8b9ae37b94401bf098f70970154460f7975a462

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
91b9c9bf1c1fb4e8c945a350b72b3723

SHA1
9fe340fafcb2fa507f97dd843435943968394c12

SHA256
7b8f9060ab3bd19c546d7a5c39b31aef4ea29e8e64c8304ff383a229ff5d35ae

SHA512
2d8211e03a91de023a3bd4ddece5bf1c0c82891c2aa85cbc53611eb225b091f5fcb5dcce993a2767a969d988278bd40fd76717711ba5c9d4653da236f4bde328

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c31e6bd18b1fe13724c3fdb5d0984c64

SHA1
f86dc47ffed00a21f2895c9427386672de0a1880

SHA256
c9d25e5d02417ca66280a3c25ab4ae57fb323499e83841df865d2f92f57cdf46

SHA512
1e3255155901d3f07c655869046ea0371c21b3edf882513d047ea1b9cca6005e887ad1fdf93773ff9dce6c168ccf463434413c85148241add4042468c6321c8d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
58e430141fa3c5dcbacb8449ed081590

SHA1
b161592b99becd218effa789e4a1de8467b1586f

SHA256
d4a3737e0b53a0c511068372d650bb1bc18146afbc6b1d6cabddd9ed245d8fee

SHA512
b30851a69cc96f7dd1652b3a694eb91e408de0d86a37b4caf73392ed9c4d6c4c6990cf44b1ac9805338062f1b132927eb5b59498b9c240bfc8b3d3aff721b7cf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5c6e9725968817640f112699cc410841

SHA1
d490871461272683a56ccc2d4998ca5de372c90c

SHA256
e5bb51e243764f8b0cf5f7b422c857514cdb1df0c811b591650ecda15ad7551d

SHA512
2c2a88e242aee62cf3425e1c2a1c0103d47981baa7001759177ba95c478f73946719196087390a5e6789a734b5fb7d92ae6c5c6390837e304f9193101e61004d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e016b56a15501c590758b8e0689b84bc

SHA1
895026e080ef67edbcf2f9d158a2d269c61bfbea

SHA256
583e202c4efcf7b8d3ff45cd9955d61f4221cee5b0c4a43d96c83c9d8d7a394b

SHA512
d3af58d8d9f988c12f2fd24007e867a96018a989cdf7a37b1f8a356affa17fd6ea7babcff7308297c9b33275a0c129596b2f9c4becec74c7bdeccef3d5c37888

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9901d770780c7d3eb1ec14b8613b009e

SHA1
f5e2445f3e2333aeed56fcd59aeedd5a8bf38bba

SHA256
11e50fc960fcb81942e3a6528bc28733883296afeaaca9ba52a6df4eea278e22

SHA512
5bbd465d7909b0824cb99a7d0bd18f8bd33f253daf1b541087d37588fa3b48735eb5ff5112dcdf275a1d5774edaf59eb5536e6b9fc352e9b5c5ea1632b6517c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b20e3abec60fbdc83b60e4cdf1c28949

SHA1
fe85bcd1ac39a6b5d2013b995cac047cec525004

SHA256
19c7cc9c9f7b04701e65ec6f149f91605373680b84baae5f44e7dd883dcee1b0

SHA512
8d67cd4b1d83e1acea79b3489296920d80ec9e3fcfeaa9d0616f31bc7a7c0054952f016cff83b01af68f7a2bb87c6e4901b3af90db736403fd9be943ddabea44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1209ee47f4763034ff3fcf6d8d60b5c2

SHA1
ef3e8e5fbb92889733a9b30d51a40a4cb115b675

SHA256
145e80bea054b561a7e49092b16eace973ae935e8421a9ea70677492d1551517

SHA512
3498f155ebbf2c59932cbd4b35dccf42695690510c6da94815cc944516d58c7dc34595d9954e131ace343431138bcad17b67d27a303831f1c4a98cf9bde4c55f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
002ed9c47bc4b7ef89bcd35bac326573

SHA1
f8e1235c54fbb8a19211a9b96d1db90ec1460de6

SHA256
185355247541451ddb517fb0d3881ca0c5ea38726595f233736e263c4b57a432

SHA512
bc8a534141278e77e28740528e2768c12d245f0a9ca39a2ec04b1196b5b133ba767b15d88bdeb492a1f8533944252c3c87fd9273094829f271d2f68887c40577

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dde71dbcca675fac6c6534f0a4260fd8

SHA1
665ba202cc00b98670d66f34a406763052557865

SHA256
0efd2d9fb6f9cc58de3172fa4bf2eb6c40a0b05b1bc51a4b666ef4f8716a742f

SHA512
647c4893811d2bb2ccbf625b9d0cf9bab32305f7a18748e89e6ecf4673d65728bd2d56e425ec45e15a71e5380be2a190fd0377006e93167af3ac0887d3aac4ae

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
91937cb8fa82a185fef9308b407baafa

SHA1
1a29a04e90d3d4521955a123e1e8d2177ac4c3db

SHA256
5e7d0df4879563ec28b82535b8a1b35ced61b3915dfe91fbae828bfccb6e47e5

SHA512
1063a15695cee59b13baa7c449f174556064eeef58c43e96df7cca8787b019347996b1e0a1cd8fdc6b1e2afe5c7f66ffc6099a708ccdc9c41a94697484ec5977

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
35e0683b3c999cfc8e0ee303f5380566

SHA1
1b899b98ee7d6147082ff83af89d82210ac516e3

SHA256
c85d211186892c368dea8226c362a38d72213181e56be8c4a5e296950980c5b9

SHA512
33c20c2403e15304a5460a7eb9228823d3b05f14782c94c6de5c793258f125c4f919716c793514fa93fdccebfc566d9265da0215116540ca2fcab1303185c6f0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bec459e46431c67977b3778e867280c8

SHA1
51aed78c1d10f5ff6c81c43d7bb76c84893e6eaf

SHA256
5c0d3dfd97afc21892a770f80c73cfd6032c3e8be66f57b044b5811a6585559b

SHA512
d015366f032d4b1ec816d4638ca618f4d62fca5421120c9422354446e1ce07a8eebbddfa5124f4122b5f5a42108ebed7d41b3ca637f4c132d2c3688db12020f2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2e587b4eaa3c625164210c5658067cda

SHA1
fda0ce16677dd70526c795f74a59bb12b64f73e9

SHA256
031afa5cdc11b1c285ce1487c96dcd91d0af859c01994f74ec5e568defab088e

SHA512
e01d930d0295c93cfe61e634efe78440810c8d09c8ead512a22105ed6776f9d6b6acd4dface747f19c6e88170b3f2e67e14dfd55991646cf24e2b0812d78f957

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2255b2f0e242586827f451cc1766d0be

SHA1
9be97b7cfa11bbe08e2a8985cc984df842bc1cdb

SHA256
edee0ed81e83b25cd13fdc3263cfa3337708a89d9ea47000d84d4a0e2673e448

SHA512
17e3cb1818a2377880113a565e6722bc8e5599f8dda4ae8ba3826444ef4c5b04fcd1c4b68f9f321caccb2697a5dcfcf3d2023a0ce2824b0db8e2d30a1eba779a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e1d38176395c7cf29c0de1bb46ad0131

SHA1
31ef77cbb25e1d89defd9cd269cedd78013e290b

SHA256
1782318745a24bd419ad71046d24e9bbbcbb6420fbc122e7f79d805f96643b9e

SHA512
9a18b72f37b72cfe112b3b725cf0491683c91909d56bbd1bdf7ccf0598bebbcb27d2a8a7d27c02c64ed41ffdb2604e5147be0468770b0b24060f471049a890f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
454a44371f70734bce872f54d9218ac1

SHA1
68f4cd9ab8a2d9392d58ba4b40aa22af61531f08

SHA256
10f1758e04b3e591a1798205634319b71213b70fd07a34586243c990c2f10b5c

SHA512
050621b191c5d189613e301824fbf62e78af48db2602a43f59a33b4bfb14cb20d5815631a7dee99fe2958e5e75b2abc017676e43a73a4a9b137ad562dfa8a5f5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3daed29a08084afa6b35f02688a52138

SHA1
69b2b12302c2adaefe6d5cd50a0dfc3a8167d0ab

SHA256
73a8ba6da08f5c24654e94b712ebf5c50fd880aee3c238d3f3abfc9fc088eb3c

SHA512
d119a481f414b03bcb3993c976fdc91a5183205743bb1d30108adb90ece51cee20459331858fb56a66d493a709a6fd000fba19009131bae89fb58661af88f828

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f28f38fb8a471890dd504ee8c3a696cb

SHA1
166ab083851434a2940c970db99e074c206c5cce

SHA256
f9e4b97d38e71c73f42d93eefe5f4907af1e88bbaed97504001e8aad96f1f2d5

SHA512
08ecc3f431a582b6b32197505833440e2270fe80a6fcce22d4b09cc95a3a7132de680d575b52c4b9c76f7987f4af393661e9fa8d3290273e9173db6d78a763be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
57c9c847f64867ecb60df253618e2e32

SHA1
ec0c5d591666ffb56330793ccb03944b64c571fd

SHA256
0968b8163e476897d6d5017c5e8f582cbafd63b1c7595791a1d23f960543c8c1

SHA512
3dc80d00273d55db3c4991254ba9026bc1b09790d2174efce5685a78dc470315ee69148bd06abdd46c1efc063e60171d0e760763e23b110158a2dbf31f0036ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
bd94b6dee9ebe13e8d5204f6eb596ace

SHA1
93dfb9f2435acaaa20723c59a967ddbcd5d0643e

SHA256
0163e7f611e279a496db1566d953403e4f208a01723362bad8c3e4f9034ec3df

SHA512
f4b5b5cd7c48ab83a31c6862a630129071beed05fa6199ce5fcf7dbeb02720410c4934d06eb9b997cc3d2ea2f143ad8cc101cbd83b64913fd168bbeac810e005

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
fa7191a3b32bcccf31fd83d8d7d87a24

SHA1
33ba50a4de2e2a95beaf0cc5233f7ade03eb4dbe

SHA256
42841b64acb9bf9c4174034db8dba8bdb7f81ed03b878297a16780bc22591de6

SHA512
add84bbadcc7b99b23a9489d407cf3a3cfe64d0084a9bf1303197774c41d5c5cb0a3aa53bccb6ce91e279d71004db9bd92cb2d074af59fd0b227f309d62c6e26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8671837837eb1c4b5fba48cf13f3d741

SHA1
33c90ff2baad1620c8e1ce30af19d5cef2f1069f

SHA256
cf9c94ef718bb763f187522e7777d1443658a9a06995e5fd0c1a60c9a13fba6a

SHA512
1814dad8118a7a75a176c135ddcc1db776d7489d7ab52706ee32839e910878f5694b444dd9b51025f62783df32fb9fb4947f78d2f1bf145fdd2eff99c4448dae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a62b5c87e49cd62178f54d134527800e

SHA1
3e6de9d54401342f7a26e7dcb7e088fb5d0de9c4

SHA256
7953f1d99b51303daaf4aeff0148f054f939d84b634b43fbb025c64459bb4cc7

SHA512
22de866770f1dc3ea1ce174c5469e39abca73f51b6bb29a7e2ff048978c4e9b14032a31ced3b01f72a66350529c7fb3f0402c9501726ec480d5e2fed1681259f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
985db1204e577b7438c143cab205e69c

SHA1
d69a271a0ff558c3647b0cf1f3cb5633bffd394d

SHA256
d20580f2dd33ea2a8bce54ce975fcf2232351decaa56feeb48f93848fd19c05a

SHA512
af9e4253b4706dd643570a1f7a120aaa61da77c2c10a482e7504db0a306ce6b10bcba1b556ef5b99091f5d3b0586d23f8ededb99de4688b31b6e1ecff8a61a8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
91f1b974f8f0eb6df86a854d4b2131c1

SHA1
a3f4c137a4fb7afd99a9d72e4c6a1ff9333c9b26

SHA256
e35e7d6e0fc87dd6ac69333a5683ac37fd67ccfdd58d2b768343bae77a5bb9a0

SHA512
8bc12f9cce908e4d74ad9f966e2151634a6a9b073512fa04f8bbb15c036528ef133df8aeb011e893a2e71c46379ce017ccafa02212b759d5ca8db6f7562609db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a928bcc3a7b6de1c853fb48c97566cc8

SHA1
e42b1e644a98b20cb5e985364130ca79229b6c23

SHA256
581acef834e59b288cdf30f660aba02d9e0fd8bdd3bf5edfcda9be7b2f0cae3d

SHA512
7b1c3a600b8772d07905220e38995396752ce32a8b930656289d57520b5007e5d5c4b21ce57a014edf23a50698631993978862f67a1fa9d1ff330ac38d56545b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
571475787c28dc3a05934f701b0d3927

SHA1
6594a8dda039c70f773d7e82d9519040479c90fb

SHA256
dd4bd8cbe0a1387bffc50e4fdda602e49c83e10f9d7cfe60536cffa8ed32f90d

SHA512
649acd8cb1cc47463184b47dc7fb528941d1db51955c9e761878acba53526b0aecd15da07fc2c0e024f9fc11e8f5a2ae22f452aaa0e274cd9fe1d753721935f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2c877b161c5739799c5100c2be6aff7e

SHA1
2cc464c126047227cf46b689cc70a9babcfc405b

SHA256
350915fa7e5a1ac82287e9f604b21d1eb8398345408d0a61349803493c32e1ab

SHA512
6ce559968a9bf9d9bacfcdf32f55d445838a849aa0b706ddcbe6ea8e70d6c3e82aaeacddd6ec3a6815a75ff24947ccc6dabf6f1da87e7ebaf60b2160a4f66e9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
47c817f7bce82e2e1aacd069fd20ca0f

SHA1
a50e3588551c7d2d4cc7bb32f4b37a58b45b28d6

SHA256
fff34df03a5ca1d8768818a1c8133017aa7e12a7acf6262704c4b36a7b6187a4

SHA512
307eb0259f1daed536ff260b608958043d80b8bea184f802e438bd00b10c7f5cca23e993cb079e714a5086086c947f2f32ad2a37769203710f73f876b21bc7af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
49e2feaa2839a74adc1f94069b2651fe

SHA1
ebecdb84ae0be5719410ee8d270ad439f4c57048

SHA256
d756982ce269bb54c478a6e4e81d878b18eb1a7f5c48c67f3cd8ac9a9257b18d

SHA512
778b6c657ba84e2e8a012564494c41bf56bf8594a0f7b365307d8557f443be687eae68b8033061892ef47717b705e16470e18bdacc321804cfb23ea50936bbc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
de2bd60c29825d5e55088624dbf46a6a

SHA1
c0b916ff437bec5b52ccdc4322a8910e3c4aca2c

SHA256
beb156ce86df689dd4a46a323ad0fe7a769f065450123606e5c1ab9d4a8e5e63

SHA512
0344097f84d397e214333c65f6049f03d102c70532bdbd9265f18126373b6d6f69286eea5940328b541e0bdd966ca59f96c114238cf9df484e35f306bb350c16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2ec2b5f2f3f8b77803fc0d47754787a2

SHA1
d745b23bf67d93f5fb5a87f92ada1c2c499dbc94

SHA256
8b6e5cd7ab7df72b1cdfe5bdd65c93649a649a47f14489a5f1680a56bc3ae795

SHA512
d9a23e47f2eca1604bece02c9490930bd250f5abf831370d14598a82d50899faadc165fd75000080edfd481d3c3efeacd758eee18a6fb29f80e9e4349ad866de

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8920c294ab8544fe597a5f4e281b0810

SHA1
b0dbd51445cb8b46e3652d5afb9aa7111e814621

SHA256
5eeb5d2797dd40bd705ccd717a57edab7b58df8b93105533b6a546cc952131a3

SHA512
25bd4cef3dac5fc6d5cc6f91b8c434d4fd88dd551c3144b7dfd4a29782fdfe7d8a0c8dd4001d173a1b25eee7b35c5274bc482b71271f2f54cd6358e1a999be77

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
674c3ae600aae0babe3e44fef15887dc

SHA1
004fdfa9ca165a20b18ba1469972b3fa31fd8cd8

SHA256
af5622f2ed44cc742cf1b9a433cbf9403f5b3e2e24ec4722c3cdfe001df1b2f7

SHA512
ba475714d62ac95aba9b90cf58a0663804e85d1e3737ddb2ca52fc5e9b5da82c01aadb9c96aaef76fa3a7ac15df20993ef6be3303f621e98485cfcd6ce886616

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
aa35c87cfc49cef22dd94219f7f58bbe

SHA1
0b85be68e3eea8c6d3f90c9957b06d45f6f52b89

SHA256
0d885c4c30b2949f2695db9daa33226668fd99c4ff20a2e27b718f63ade4b264

SHA512
610a40a6f5b036cf38098d12f95e7a6dc2856fe33b86010761951ed3ff1c8d9dbd6000d43e6fe380e59873e830fa8ad79070b794e77d8ab41e7d1bbd027fcf4e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c1a92c25c6cc847b94122d39b04b90ab

SHA1
3bacbd381bfc0084d01f0c597e023c22eabfcc22

SHA256
3da3183195425d3c497e4dd0291ac445769651cef60373ebdd84688ec637710d

SHA512
9d4aeff29eed9bd14170626f54651f581ac3c44e3af563f8b775fa459f40ed55c33887b6516657191e02b4db7db6d501633c041381027e6ffdb8bcf3318872dd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
877bfa425d4fb6bc1cf2999cdedc480f

SHA1
de950d4c4a69abd35cfa4f1aa503cd8599a19561

SHA256
64f1bb31620b478591635676225b1eece71da96f1acd2ff32b47f96dcaaea664

SHA512
95dca286f68cf3275c23ade6dbad5b9054be535f46c399e9301610bd31080a5bbb5c253f1916e498003f99a2d33137b8642e46849e4bd5ac68e435844f25f471

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e059b8141afe63f660a9239846549d2d

SHA1
b16e607dfb4a5a3f01b9c6b45c9f66305d5fb30b

SHA256
ab7658eea37bea01610bd87821070d0f350be7a410ecc64880657bf5c4021359

SHA512
c2d3efac358bd3838773802451d05d3e06ebdb4014104c6f4f16955369f0d778551b4899261602b5fef478475e3a8f5300bc5848a538268113a87046af4fa26d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
807800d0387fa6d222ff1ee123477f62

SHA1
6179e02e572363830cdfd719a5f51f470b3c037a

SHA256
c338474fcf15921112dfc478615aa9ef43c0bec21cc758d83e2caab854fde8d9

SHA512
2bd697a4586b6589dfc950b0133f3577dba3012e66a452eced5ba75791ae8c9802917a16feee491979cc6e0d85b569fdf71e56c59b3accbe73fdccf4a0933e86

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
703422e50fd3c16252b5b6712c643de1

SHA1
edfb68e7c796068173ad0624becad0d32e01e9c8

SHA256
8f1553d87ff6340583f509f76620849b3f95301830fcf0537cf9194ef89b383b

SHA512
616978073dfbd879746a22bb675e6e21db5d85b28764f6689d65386f9622e15d35da3f6ab0db8c301577064ecefc008f0c67d54b85348bff0174cb0ffe79b784

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ca5d55260950a02a56151a6fb768e633

SHA1
6218ebcfdd92f4aea8056ba553cdf7ec97ca5a7c

SHA256
7e53faaea103e893c2acf237d7b6dbf70f20ade7fe0e1aebc897958ffda2baf8

SHA512
1a44c4bd0b19523d4b269239272129f85ae2de265dd4e3a281c60b9782b3e7325c1e2fe2b32beecb310961b70ddb95f643411f1d7ee7a23c374b2679b46a728f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b25068504ca2ee8a5de6d706ada3e42e

SHA1
6336d54f39f574c9b5f3090b1305ce3cf5e1a3ca

SHA256
d62f59bdd4a87ce6d26a685834a867a2a10e72c443abc45c02e90808c51d79e7

SHA512
58340415824748e76f25db9014228a7b74111ad0a72d9d2f2ea5746fe61f87f6307028d0bbbec45e94b34b4755727ee7c02fcf24bcfa9f52e8452082fff3988e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ffd8095f40730f4b60f4138b165035ee

SHA1
d2ec9dbcb72d1e321525f6c31a8db296faa44092

SHA256
7e166b6cda881b151ba2eae7667190b20e75abb7108ab5d27f1010f4bfd7d2cb

SHA512
85c23d2985fea0ad9773d3be739f3545025dd5afbf4196a13ea3a7e06aa1182cbfa5cf5e5a85e2a9b7f7d5e741e82f2ea2f6502a65255c1918830eb29a73b716

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
173f72f660c269cd4c096491d71e2811

SHA1
2162c701b20f51de8f4802906c69634e8bcb9b9c

SHA256
f188718f68335ea153822de8fb32f8a7c3b541eefd2104d749988e1d23b1fa47

SHA512
c54efc1b16443f7203ccaefd06dd79234baedcca86b9dccd1387f6760bccbffe1662b2f3dafc74e2c3402f529758b4232da564de02385faa6c248b0c799b1f93

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ec1028607453397d6f7b7ee1ecc82e6a

SHA1
153244c6f83f755e95f102edebcacbd2215f3627

SHA256
3edfd099fcd44aafc63ca4486e4ac97649238cc8487fb6a26f52f95494a0f348

SHA512
c4cdab95946a1ce96ea426d31819d47369a6da119cd1cee85fc16e7d926581aa8bedec107d8dd65f7d7a8c4ad16293c0efb6596cc04d889335057f3c88c9f756

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
925f620a5fa5a75cbc3928df3aac65ec

SHA1
68122dbfdba547c510d1dd29315c637311757f6a

SHA256
386bff23db239c649c409de6f33eccb5536e65e69bc77b7d4fe31d5411f05568

SHA512
761b67223bda79232365344238031841214127991942f5ce742cfffc395d7464d1bca0968875701ad41f1339878c7c162b97a1c8989cada3354a16ec4e565c0d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
7b68be41fbaa5e255793b34f6951b1ff

SHA1
cf5b0f0864edd6665f0ba0bd572017489b571dfd

SHA256
996828a05b1a01932cee576d92e31ba223efff82aa6413c6fd97f2f93e4b73aa

SHA512
922b0bc93cd461880a981d3f2caa71b820aaaeac0b7f2c332ca355c3128fe586c3f785027ff721e59e4f22bd5a11e662fd77926200c0b666a14877650361b767

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
02335a9cc16e0948d57064cdc98bc45d

SHA1
6e89638744623fcb0a1b71a4f992bf6628a78250

SHA256
801554cd59dee1e7ae84845983a6d30a47eb9258a415b29c5ac199da5743365a

SHA512
0768f283b8b4ce71172f3d9ef0ab9bcf0f79255209553b9675fdca3bfd51e236e45eab5cce6e57c2a8a4357c0c80f04b04cd2860f5c613d2fc2edbd76eadd2f1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
4d0a79bf9637f9cb9b86283f92c12117

SHA1
d0879e86f2c21cf21c4bc52563378f1bff489dd4

SHA256
3f8ac89e32549796e21ca1831840fa6b976075ac6cc3579bba7185a0d5834150

SHA512
f40d6d4e56600b132a4024e9a7e7beec45840ddef3b9cc065728b4bbb06e9d445fe4b094f76bfd4a0f9b5f0467f0cb03f128d249779a03dddf165d21e742819b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e0054114acd0133467b2f61635970421

SHA1
822bfe5e5c1cfa85db4435d2ba5e8a46ef430c73

SHA256
c9c2f2f4802ce0b54d1f43ec2b8f5f01945025438fd9cbee56db65ccfec6458d

SHA512
5c1b9d9cf723907f20eb4912880811ea382ebb35e1f3385db96a87ac18789c9a09818ebf693135d02220c0aa254fe7f9a625104a61cd2a61f92ef41511ed2ee2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
8e0b97d77ae2b170e0255cfe3f41884d

SHA1
640b2e8b6f41a19fd57176cc86a48bd4d7485149

SHA256
e9e413c306d30c98c4f33f867cc4ed10376472d7ccddbb146879239253d47737

SHA512
8f6088531a6d049385bd64e1ee4202a8df080997020610f693740d2047e7fc58d9585bd71a5e6999e3dae7c0040b001e10bcc895f04a33cb2c7c7e99ac6cfed1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3af29cfa175eebe1b85c314f778da762

SHA1
f7f63df4a1c781a2387b8b9c1945183f7c7feaa4

SHA256
062054bd46ee01f31a05e84c43a0bbd52e23426bb440dd6e796f21d95f68ea1f

SHA512
315ef55869deae8fb662f3a93814f26ae6f9773f441fa9afc0dd89c9c8bc2fc9517c750b2f692bb8bd3d904211660436600d4493f93b3ccb7ecd1409f14a138d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
184617f4305cb996189e7ceeea5d206c

SHA1
be5d5371d3159f95cdc3c1aa8a7172949665d8f1

SHA256
a83d95990a0cf6fc9fa3d1a9faa08a005fd64d0ae3fad2182f287dd7464a94de

SHA512
e140683dc824a14b5de568c3c2643ebf48ad4ffbb02b5b4c42ec7d0c35c07723d6d9dd72eb288dbcdcaec3ce0b2f08496d375ec108af53271712fd33935887be

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
68bafb1ecc2eb60ee87b9c1dc48d0fa6

SHA1
4f198a10bba0510f5809ca64f082ff917b2ee658

SHA256
a8c9a7558d51a92f5ff3ea04d7036da9d626d17823d71e7b3f1145e06a47927a

SHA512
b065f5826eaa4183fbb1fe80f4e70b3706c6496ea1379d6d452477be060f5f19cabb446e08106119399d5be02b4d5a123fc28076662190efb5581da11d3ca776

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
e2be7eaf7a2c91b17606ee3550d4b459

SHA1
335729b733fa8499c9d4c78a2a8198f47a72a0af

SHA256
4b98798b7b0faa21afdb9f99514deb78460f5054fc35276cc954d5963b28322f

SHA512
31fb4d7579ac94ce5d348f39b2ad159e9e22818aeb328bd6a5a2cbe2035b03eea3b233a65fc931a460d10dadf5e09bc3ad694cc2f8a8e568846a15055635ef18

Download Submit
memory/1056-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1056-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1924-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1932-463-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1932-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2388-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2388-526-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2404-129-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2496-22-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2496-16-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2496-10-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2496-179-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2520-240-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2520-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2520-80-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2520-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2560-127-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2800-19-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2800-5-0x00000000025C0000-0x0000000002627000-memory.dmp

Filesize
412KB

Download
memory/2800-0-0x00000000025C0000-0x0000000002627000-memory.dmp

Filesize
412KB

Download
memory/2800-153-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2800-33-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/2852-30-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2852-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2852-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2956-154-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3452-36-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/3452-57-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/3452-42-0x0000000000AD0000-0x0000000000B30000-memory.dmp

Filesize
384KB

Download
memory/3452-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3452-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3656-523-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3656-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3692-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3692-166-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3716-528-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3716-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3940-477-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3940-181-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3952-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3952-81-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3952-77-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/3952-71-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/4324-228-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4324-46-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4324-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4324-52-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4372-200-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4372-521-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4432-86-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4432-131-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4920-522-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4920-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4936-167-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5088-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5088-527-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download