1098e942f01af9fc6f3affe46d001a06d486442d845a26c2aa719bd5e1e3109a

Analysis

max time kernel
165s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Size

24.3MB
MD5

15b092caa7e5870d1f51c95009423b43
SHA1

769d6107495dabe29142c8eb19e51460007532ee
SHA256

1098e942f01af9fc6f3affe46d001a06d486442d845a26c2aa719bd5e1e3109a
SHA512

9e6083d0bd4934d603efb265ef7cdd6f216008735bdb08a839c0b48b652f04bea8c3e7b6a4ce42e5f94bd574f778e08c4b2f108cdedcd0c2fc6d95ae88bd12ed
SSDEEP

196608:eP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018j:ePboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4160	alg.exe
3436	DiagnosticsHub.StandardCollector.Service.exe
1596	fxssvc.exe
3500	elevation_service.exe
2236	elevation_service.exe
4500	maintenanceservice.exe
3616	msdtc.exe
4332	OSE.EXE
4976	PerceptionSimulationService.exe
4544	perfhost.exe
4812	locator.exe
4468	SensorDataService.exe
1028	snmptrap.exe
4932	spectrum.exe
4460	ssh-agent.exe
2512	TieringEngineService.exe
2576	AgentService.exe
1764	vds.exe
1200	vssvc.exe
4756	wbengine.exe
1712	WmiApSrv.exe
1184	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\101f3e8a1012279b.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120984\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120984\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_120984\javaw.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a7b09107c191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034edc705c191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cea9541ec191da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed19f906c191da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030323f1ec191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d0f4b06c191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3d79807c191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8f87506c191da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002eceea06c191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9dab405c191da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1596	fxssvc.exe
Token: SeRestorePrivilege	2512	TieringEngineService.exe
Token: SeManageVolumePrivilege	2512	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2576	AgentService.exe
Token: SeBackupPrivilege	1200	vssvc.exe
Token: SeRestorePrivilege	1200	vssvc.exe
Token: SeAuditPrivilege	1200	vssvc.exe
Token: SeBackupPrivilege	4756	wbengine.exe
Token: SeRestorePrivilege	4756	wbengine.exe
Token: SeSecurityPrivilege	4756	wbengine.exe
Token: 33	1184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeDebugPrivilege	3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3420	2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4160	alg.exe
Token: SeDebugPrivilege	4160	alg.exe
Token: SeDebugPrivilege	4160	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 4284	1184	SearchIndexer.exe	118
PID 1184 wrote to memory of 4284	1184	SearchIndexer.exe	118
PID 1184 wrote to memory of 2548	1184	SearchIndexer.exe	119
PID 1184 wrote to memory of 2548	1184	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-18_15b092caa7e5870d1f51c95009423b43_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3808

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3616

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4812

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1028

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4932

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4284
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a2a8b7314e094b0f18358924354f9c70

SHA1
0203a36225bb7c7ebb1873c4452868eb80b78b02

SHA256
ec4e295b70465efde682649b1d435d86ebbd7b19ce6fe7eecd5a0aec006efee4

SHA512
e2ace36d47efbeaba522bc9f21147f5c5c8009807c9f32778f6fc8df9ae945a2242b7f67b4a824648fe87319428df3eebcf5a34926e5955fc9c22a5506fc6ece

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
5cd3a76901f26aee09bc35b3fda5838d

SHA1
4f433c1e6b949c6bfcfd3ae02e96ca312aea45ff

SHA256
9eb6274a6d74d1f829a78179aaf5108c374945977901ca6b47a03c4045c25936

SHA512
54b1d0514ee49b2bd11b66994e11d76a5d0c09333e1f5150fe5d202f731f6e3187b65db38f8c6258beade8b8eefc15ed677621f4514ead78b967fdf1c12832d9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
fef24a102ac56dc2c5d0500094362d65

SHA1
8590f8f71e5a0859af9bcd910573118e22399061

SHA256
1b074b8c67bb65ecbcbcc936c4fd33c2636966376532e86ef48638cb9e69a18f

SHA512
c906db3a95808064aa17a660797d1eacc75c1bd9746aabe936e5dd0dafbada3a883bcf97d97258ff787e7d57a46549172180f2d84d3ec16efae60372e4cf2c96

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
527e7173931c4de4a3328b09c60fc9d1

SHA1
16a4b16fe408ce5ce6e73b7d95a43abef2c8b89e

SHA256
fc59e36c7f32afc5baded9c6e334b043cdcae6964dd88d4b7e6681195913989c

SHA512
b2d4488061e796982e0600347683773120310e2bc74d8032ec877a7b4d53c3b68a5c6a9d81ecbf808957bb3a7543c46e8b85a9fa00150008e343fb134c9ec03a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f3b330b2d8ef4f93a09f8f916a9cd958

SHA1
fc31f33f13d987f1a1f5e8158400820d91d37bac

SHA256
f8c8d5f2cfb41af521dca0d86e2c3cc3a46da24bbd2d5f65f51a891c9ea5acb6

SHA512
5cfe079bf98866bc81e07253cd765bc3c1e2d9028350ee0d04b6e268fcca6048e7dca4f3e56b663c8b461ff7cc166891a3a363bd7b98f0d1f804cbcb42649393

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
d7979a691beadffa57781f38b3eacc1e

SHA1
a15cc8197cc934be608a1704a6f489f7ca59e986

SHA256
7dbfe6cdfa88702fb5af827e505ddbb24afb6c33bdc462252065ea08017bdf27

SHA512
2efb8c75bc8f5a9961ee58b5f3023f5df7ca8f1d3e81d509daae2260a4ec79c145228819d231235854e558763f71e7505e1726278df5d4609ba0f19b093c9b6c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
b67ab03b88edb50ec8474624f34ce513

SHA1
f66884d7ab11f26f23a281d8240ae90dbf79acb7

SHA256
a356d47b2702015b4554330c8d9953db47805eddb39489db69a106f4d28a2ffa

SHA512
16822f1443907baf016de9a7d49839d5bc894eda9483d318779b3b73e18b1a440fef7a163324d700e6c0b29a2eaeed2396eb6c22e5178596fe60e263ac07f445

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b1661e9360c83a48db09877dd1a5aae8

SHA1
375e8738a4544331ff84aa02e61ab630836c247c

SHA256
2380474e6897ba8db2b8aaa14fb9df47cb6b0f2ceefe68ebbbdcbcf3ede8646f

SHA512
5cb7e573ce8c040fff9b7ffcc8f9b3f3a3be69930a4ee25aa5296dc0091601dd5a415baa57d1dbe76dfd0ce1f61ac33389444eea5e2f6a51ad9f29935c42b9ec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
66b04ae2efe85cbae0918e7d2c6d3529

SHA1
14f7b93f2829d073f814a06e0278958c8d1992a4

SHA256
aeef6c9515ac57c1d21a9e181671f8e554d730db437be2b2837ffe4f75c0bc2f

SHA512
abb5b40147b9531cf0c686e28447ecf82539a7249a523fbc1d6662040d01b7bb6a3f5564ac3695dedc8cf29eadad1d8432570eeb25a77ca0a80b92698a1f36c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
532928c5159379b24cb66b5d82b263e7

SHA1
1c0385d612b5a6d8549a197a2dc4b7cf0fd657c4

SHA256
25ef290829d3ebdffb54038c7f2e10484ee8cd15995854fff1f43dc19c364cc2

SHA512
b0efd97d63faa3205eb30098cc8f8b125f12e46c0f82231ac9d1e5b69599a3ee23db9992446ccd94c8ee98a505e58c90c0b29c2398299ec0fbb591a227a1700f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
498b618ac07273b92a42c08bc41683e8

SHA1
3a5114e6fd75d376ea3340df22ada94771b2ccb4

SHA256
39767921a61e67915dd2ebe6944d732360ee26c3944a1a62c359c7dfc6141d8a

SHA512
e715ce74eff6b8673dfeb56f0b329df505ae4732092956b01b5bce2760b582a24dc3c4cbff7dcfa05979cb9d76a293d008f80c648790b166302ef6b4b043fa64

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
05270dc754005f265e3645de613a78dc

SHA1
558e78ed9fcd3208e35827203154ed8aa7142be3

SHA256
eb0250c178b5b03b52bae06bb78175985050ccdb9b462dbcc9a40d3f5e5462b0

SHA512
743bc8a727fc66f9ec5aa7100fed213d777021027ad6c55046b60fee1379c773640df32e733ee8f10f89687d743546f9588caa4d3eb8df0fb909892414d36885

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d56d51236b440c369568c728d2ddbcfc

SHA1
1fda92842a936190f21089d409fbd012b9097459

SHA256
038b61d5ebb866b42071332a4c90fff25dbd4354cbc46d565d34354858f8ff19

SHA512
13d75693c5fc08f3fc541a47ef77c4854ba7f2c7bca34a0804ccc73dbe2b6c03cc9b78f065e2e651f3b80c36b0a35f78dd356687d57bea8e61a3d009ceff9783

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
8a74e65f7b8d5031aad26ae37be25fd9

SHA1
1743e172273b72f96eafab47c60a9e4cbda0336a

SHA256
25463b1212e44ebb87a9da9177e483c0ec7f375e541c58148b7ba0027623aef2

SHA512
906e86517220e4423d6b278be74e56e80c0a76038f786b5d58189d7d06f2c695c61386fbadcfad2477dbc5800150f1ffb71b9c26199dfbb692979eb1b6c53f32

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
391183b533ceeeca07a60a0058e464bf

SHA1
8a318a6f7bc1908b19defe581ffe95cb59edc984

SHA256
9d958a663f497dbbb67ca901a67ef465f22eb7257baa52bfdf187767054afef7

SHA512
af48729c778f0d3045cf2de30523933bd09bb752963f31ee8bf0a1edfc0f937b6f7a56c3383d5f58a552e3f2597180dae11b20b674694a3184da173b879aa248

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
63b7ab8b655f1ba3f633b85615a52bbd

SHA1
0162d5eac4573bf4d32fddd207e70688556dd80b

SHA256
5a4c4c6a4ef2baaa62b9b2b8568517d1b30354f25fb7f9379f3de3230630770b

SHA512
3bbf53c543e3a346b12f0343dc1a9cf81097b092b7010dd9c79a83341473d9ce2aa910ec32ce31cdf7c86afe4dfc1ab9aed188b0e0503c678535bf6cd0b7fb26

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bc43a15ee8802f72acedef759371b5d6

SHA1
656cdad19bcf9a92b28e963143ef104b9dc8bd8c

SHA256
d1c005feaffa835300681dfba4b38120f398bac63fc202ca80c44228bcf6e642

SHA512
8e5b65d338e7ae0be6fabcb113e7b49d02d2cddc37a88f5bcbb43bd19af210d9e6cd8e223c01eb5ba002f6a1db9231f06b3569f4d0378000af707d324d6d6c44

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6051e790b636c29a8066133f88c9ad3d

SHA1
0980a37931343941ae24b98f1f77f157b1302c2f

SHA256
5d7c763fd220818370696f34465bec3c7bec8d033087e4eac916f66bc9672126

SHA512
55685b22fd224ba6280cd6656402834bb86cb3f9dd398e940307b8e48da72afc7c43ab60bf6bd837751315260ee5ba17b81e5fb03819a02d0bb656c33fbdcc0f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
9b510933b098a27f86d17d1c1e566b47

SHA1
fb466c4cdb7669f3a1dadec552c994c5fbd39ce6

SHA256
154b877439227f0c685676a5921fbefab9a92dd161bacc0d590d76493a940be6

SHA512
02962b486c7fad75454a7ab9c080d5d034c3c0195cf4082ebc1150906a64c47843a6fea946cc174335ef266bab4e9a4d16f0e26ab0e9169a6af8776f0631e597

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
50a2eb633cb3149d73770dbd210d7611

SHA1
948d952dd00bc41e0cb79b1df9d7be16ec3273c2

SHA256
0322e26d8f3a3e0e4cd87fddc88f052119e70fdf2ec6e625a473e1a50c8729c5

SHA512
d00a6d498190650d278569769475697e512606e7e8c048cde440157c1d369a66579ee1813e7c01d5dd8a33c13d42317f5a3e42c867f9437566a22b27f3e82a99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
00b88afa159e9777f439e4e9be3c5076

SHA1
70f9e50d35bda0088ecae18d217d5e979bb5e8bb

SHA256
ad55f12a7339c77f188873eedc4bcfc4f8509a44717b3e1ed96163442b5219ad

SHA512
056d3d320006a2863705d68cc2f962eeac67630d9863088880b08937ce86bd21605e4ff1cd4166112e77cbb2b6b003986c153ef24f8dd42871fa499afc5f882c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
6605aaf7d405a94533c019f8e6d04e81

SHA1
c37650cc51db75b88c67ef18a9bc163f9bec00a8

SHA256
b23fc23e4d1ec7a8acf336fbe1b92dbe50d1a5db6eacee22e2a12f244d519bef

SHA512
0dabaaa24dc5f59c799aa44e9f401a7656bfeb3c67e1ff02ee6d07a4cd9e12b7fdcf377bba871aeeef19e6e394ea198c7bb7d317fb153de9d8ef6a3082656728

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
d669d890d80a53855d96c538766b1e7f

SHA1
652acf8a219ffcc77b535fc71329024935efc43c

SHA256
3cff8d6d502ce4cfd29d5896872fcae39937b0b76581e2884bd3391c48c940da

SHA512
0b3932760d9093612094fbbf617c4ad379264d02b7242d800f5f3798af4979a7465d490f10bda20a4c28d728a77858f837b66f08a3be690ae663a20f99d14359

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
a88bde11856b205ac5566866014256e7

SHA1
530246b57775e8e992ec0bdf93bd21169159de0e

SHA256
79737c07f220e20e5dd3e0c263240bce5de272d34574213b9be9ee02339dc838

SHA512
9bff5e4997e7411a2f55904fb5652295cf1336c68ddff9b04b87948254c95753d6fe1bf740d85d36a6378b03c601957fd3fffff03f45438f8c004309cf8ea9c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
c60bead43b888a7119745d0998e1da39

SHA1
915bea5b51f6f78f499a530954b2839f5791860d

SHA256
8526ae4524d586799001902bb0244428414a6920bd162b43856d30eda23cf9a9

SHA512
268179a44fb1665b9c74ca10b9028c0965651959d6ab45b93ac7a08265190e1d9c9e0601f19757eb062a0981bdd367dd0217e42fd1078a507ac68d1db93bb1f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
da26a86a965b20f1d3ba654f035d0487

SHA1
d9c1b2a24c48bf5870bdf9a234b198417cf03909

SHA256
5ca266026ae9c2a96bba4eb678366040c777bcd7b8fa7967cf6c786663fc3caa

SHA512
02f4b0da312ce0f0da7909656c4e999727eebf7d0e4cd37fbcbea5a48d18e14ffc0b0c8d93dd851a94ccb5944d046301fc810037b3892647321bb7cd5f12ed52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
a3f3df5088636afaf7f2a0f975a1a522

SHA1
a46a694388236fbe09edf6b1393a5c1883df9c33

SHA256
669aaaa81e3cf63d7a49bb5c19b267444b009d8ebfa172bb7f30b4f5a1b0b035

SHA512
e54cab8c9be40a49c99c1daf82e83dc97ae5ece62d024a81f5ff09c68799b3182abe02db29e2e64c3cb063df0b66822c3a17a37834a663bef0da83e22f4df3e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
78b77e5f218038dd6f3138ad4f727bb8

SHA1
dffb8256c3d36a8b5f3680e71fda4c3daae76ef4

SHA256
6630ece7561d2bd9bc39a27763e267caa42010f173bec4217e509bfa09920fc4

SHA512
2a3d664bdfe53ace2f6556fffe43dcee74c5f0caa5a7399c001673efab3e4c11e4ba68c0fe9ca6dcc87e96a429fa325e53b2774b739b61e22f5cc04ad7112abe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
aaa2f9c0aa2e8cc0f141058d8ffa2a0f

SHA1
0f18f4e6a521e6f94b91ccc7f7714ead1a3a70ec

SHA256
fdf54ece9b8755432a18291adcab41d0cdcbb71cfa2c560c3bbd63557d82346d

SHA512
7432fb2f18f0ef034ea85851b759a7d7a83e0fd574ba5eb2f39019a261f8b14b32abc1dfcc56bda3080eb2a4a668bfa847f31951109b597efa83297aac37cb40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
4995360e201a8e5c49441ab793db4642

SHA1
446415ec082b59bf792ee432fae05741032f7cec

SHA256
f75b88c0905782ffd9bd07c3ebaee1fadfc8244c8f0aeab6fb79160b3a2219db

SHA512
34b30fad33af760bdd644e291d68e5b6dd1950eb5e41db2ebfc3984ce225de96313a451884d130dd940d960b4286a76520bce631dacb9c6b88318407fa2f2dcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
52015af1ec2727af784434658d8007fa

SHA1
693a23bdfce4a7cd116386a879099d54f8d80e00

SHA256
2128a4a932cf67b12e502c6bc1099404caa3ce205014d325d727694fad63c504

SHA512
0fcdc8266c4c942037b03b6b86ad686c4ad882bde6d4377ed1a87e287313e8ae1a0ea6068b6c3150958cef2f283c9e7273ac815faa43493b3a6a6624e3094e2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
ac3af017b6643075e42596e16a5fc402

SHA1
3246f9ee5aa277c46972eb0f42a1cce595d4a36d

SHA256
9734c47bd7c686820b3d59858ca788421ee3900448dd3cf08af2f004a2aecec5

SHA512
c21b40ccbaad24c9318c42cf4b9b5c12228f29a881cfc39fe3528efb89daece1db75b971f0b34b25d9c631cc0af18e954a1d95e8c19fc99b63187888a834cad0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
27d64b9385033f6c93af1698c2f58257

SHA1
f4de547f23036c70d838f4b922a4e71dd6c1194e

SHA256
d92f9a8b4c1d12120137d20864b1b3a44fd1ba045457273d2eaf71b8411e7ac1

SHA512
cb1a9a3ab94201b3ff93648b90f0ea3ee38de41f69e1e8f977e53b5c2cc2962d74e241588ef45aebb8d6e20963150749e64e998de252457ed7a39a257ec35a96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
494a2ebecf5f53989fbb94470c60b125

SHA1
cd5f2b9c0dd6893547b334de16f6195c9c4f0501

SHA256
20c89866ae8059caf05d7fa9407d2e6266a1e19de70d479dbfb7eb66f4bb9ead

SHA512
13dea2469f98fad36974eea74d21e7a9b37684b9214a65429eeb4c1597696d45e480d8facf05604f5d24e8092dea631079dc77c63672e860088ef500d277c6f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
c3ce3ade2b978531fd619ff09a7275fe

SHA1
dcc4e2e44b6ef1b9980ae72f0dc234e078d15c37

SHA256
d7cfa309a9c5ef7373113232d1b2345100a871731faac731e8797690159f187f

SHA512
a0a48187cc549886988ce537a1498e43814299ed1e8ddc833e29f58ace7d9fc34c3fb6de2bbe3961da7a1ee5508c16e508e1dca9165a81057bcce5c59ed46ab6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
800ed9eb468ca1a107a440d1398332da

SHA1
6fdfcb4fd8cab201017a5de175a5bf950ca88886

SHA256
49eb1dd65281829b6f777d2520394b16cf43549faea8842996dbc8437dc97b3f

SHA512
9896d7ea525dba39a6c467083b0ef820a20d352ec22e2607e76e7e86ee4b0697300fe6f5182a4d2cdb96f32166f4953d15b44b506a5b7b844849b0cf28f6bc2e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
3903ab9d47c9f883add567eefa15f297

SHA1
47f03997d4ac127639dad4a8b8cf2b43aa1da9f9

SHA256
06788b22d93eb39633be74cac1f84a39eaeda6fe9cd18f8279e56146f898c61a

SHA512
1a502506fb842729df2ffef8dfdafae7e8896fec0c8573ac1bfbac6829ea4bd2a58470f87d5c653cc4d4e95a503b372c482372b6c28d413bf5c862185c46afa5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
bd3413af8042138cfd21568092334e7a

SHA1
87a5abbae213b57a61787c7a458866f1d0518751

SHA256
93bef768531d7419eb77407cf69572a5693499d2328a21a534185b0fbfc5f002

SHA512
8ab571b4c1dc2bb158e5ddb57ce75687b715dee9c8db90a7a33ad786eac40371d6824e9d95339ab83d0930c1cc941395f53d33373f8703507af703bd7b0f26f5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
99fb8fa8ee99c8b0b340249cc977af52

SHA1
a8f10b6e19d34de19d822202322c6f058a128459

SHA256
891b77a01100c88293c079d2c05d795f6d1b990c881b9d7c1d60b219e28f3182

SHA512
5f78c40f523cfe09330baa71fdcbf1f7225cd146f061ac018b2fdfddc0b5de59b7dc25a79c771ec0e83116d30cb3027dcaa98db42201d75622db7299da409f03

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1965d00688502a467e964e7e4b83976f

SHA1
47179190a41c8c9182a7baa1a6acbbeead760489

SHA256
0f538a26630bba73d33f310a7e6d01d8e2e5fa45f25372695e52844fe38da915

SHA512
34cf41969e5fdf3329db5899f5cd43a608e056bbd2c3898387ce4c4df761714b7a192067e88ba38301fe4e9959d40bdb48afb1da14124f911d3e7b659cb08964

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ddb52e1f6a0e88ae8071e4bb6e92e74f

SHA1
91369d6f1274a296d64bfbda6df126d259119f9f

SHA256
48b3d2ff90eead16fac946248eed2d1632a07b32c75dcd1f2113f9a3e0b1f53d

SHA512
820f230ac55806b68e1cd639858573e394c9dfe85d6abcc376686fd9fcc0b607067f3e5d03093b83a5e87883e68e9219f4338d5f2bcc347007ddfc7ad2cfe032

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a8d33a1e689b3fdeb0a1633c27e47748

SHA1
32863bb46eb7ff4f8c24d4f46552dfda0fa75c17

SHA256
98644cdf32ba2dbcc493aa8d8fd242cef30b4132ff0434bdc07921407f7c2982

SHA512
65fb546d050fac0b3515e62b952b06b51e12fc6685f57c81f9a4c3ffbec4203c8f88ef27582899038b261fd17f331f5c01f92f9d9adc9201eb0cc90b175bbd7d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
ab565e9a56c29c1f85649ee2de0a3494

SHA1
bfdec5f65f5ea988ce95eb73e86c98f728394689

SHA256
8246094ed076409da04d6ce4bb6a789eaa99643a105539e0de52cb501df72356

SHA512
306a63506e9e00e3750134f064a04db8c0d42ef6a997e2b121b3e52eccb4cf230e5dede3b1b60ecdf3238aae1569ee1cb0d244fd09ef437aff08de3f398836fa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a5f5650c104a46649fb6b806cc1acf97

SHA1
c1fc2d6f53ab170e9844ef2bf520c9cda114ec66

SHA256
ad014047e4dc21801922a25b8c052f519106d3392ff82c712c24f41d0d245aec

SHA512
17f57ba0b091fe85417c3324545448c5cf6311dccd4110fd333584a06905b068ab6226cd5de81ddcadee64660b541f8d2b3222e65d12877093f090a04e7d56fb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5e1524d1419739e44ac495d1246dd0ca

SHA1
368a82987ac510c609cb3e9538accc585421d3f4

SHA256
222bcc6acedfb993c9d8416b99a31fb8312ff8f0a91360257dd0c836f838a814

SHA512
b193468eefedd13423293a723f8aec06e6561189c66d0e23918fc753e290d000bea75d78cf81f25f8c0f8044bf86f2df5e693da2bd16e45d8173734e7477b8c9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
241351d12442447023672aceb3b3bc96

SHA1
b3db78339dbc3b4ed9208548ca06374137f8963a

SHA256
340476084ad5c11fa4095194adccd89ad07bc98dbdf0e3b9b0c5f41704c9d406

SHA512
615cdc800e6287a64cf3e593874e8fc99d568bd1c7b43381b017ab13ca79872329dad707b273f2ef9d73ef2b4dcfb7326234b1296c2a0fe881fe41d929875438

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8ad76679434bf7885721405f8c1986c5

SHA1
02a40f00d574c73292d4161624b8813814b2b9a2

SHA256
2974e96d7e21b248e0658a6d4981df591ef15aa33c13e100b533f6fd8f8d8a73

SHA512
2795f2bc9f2fc3438139dc17b2a54a9719599ca56cbe8f4efd1edc4bd6ca4d9b893686240dd812b688d2cfeab4a3c791ceeda0a09da4b6a3018d40cc6473c215

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
48ac73cd7a789bceb93d69d1fc3f2d87

SHA1
a1a108be747edf1138305082a87de1328344c7e6

SHA256
d29f5e71a0f245b36629c10334e034b9a1712a9150ebb8d7db59fbaa6c08f52b

SHA512
1452b28d7f4f3dcae4913b34a2bc26f91060fa568114a1dee05693ec2af7aa7143b0644d1ad8a9be4eb0a60636f6235df18efd63ab62dc630f15d16958ce865d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
498060583705af5885293ffe38b828cb

SHA1
b576477fb3cbfbe8f4fa64673b37b73229cc07fd

SHA256
9816bf467ad24632a72aeb83baf602630e436ef822eeddffa2ff633b33afc764

SHA512
e13dd277470189853459b4f51104fe43f3dbe8cfa2bb4847e2561613293c7f3283c35305bd51259568b463d1c7f3ed72d7a1f66be853b9c9df16edfc44997150

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
890b21a6e05c1a586e54b138e0b12c49

SHA1
7b181004fc6924266cdfb22c747bd5aa3bdd868b

SHA256
1b8955341d5dcbe2ce34ea560c989aadd2bd4ecbf134538e8aa76d6c1137e65c

SHA512
f0e42496b84cbbce9adaec8918c75331dcc13912cf060b458bac4ce7569b5ad003abf63fbf2983dec27aacb965a946bfffc7e48e6b175d3e91b1cde3d0b8edc8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
d5c870635ef7cbe08879f8c703cbe288

SHA1
1e1a332bc103dc327904ee530f62e9459e7b650d

SHA256
0bdd10f3f35b8eca91fb4d8084b5ba3e4ea36b0460893b325ea8c27e4f65d189

SHA512
3c8f123724093755011a788a72dcefa9fc02aaebccc6aefefab4e9d955dd1021ab25fa4e641b5f117b150ddec2a5c390204d5b9bb1a948151e73cd6b2a6bcd27

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
2ce58894c29095ea93d2a043b30ca5df

SHA1
b18970e31905e538cf3c8f6c90fb984c400b46ce

SHA256
87e5e3c72ff7bead5c790722de0519841c39edc86f8e0a8904cb554e30ea2726

SHA512
507714051e2467428a6032daf1d1c13bc4f3965ec02b41a8fcd2c6633c8a32ac61da9a641b21118c252f9ca3f83f1bee1d15c0b3bf50579e52dde59c475b08db

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c49d039408178fa7900d3dfd693ed510

SHA1
dc21011af9a2d9d9f83fa313eed22015edc41bcd

SHA256
8a08b0d5e75865dc82260fa5ad4a6ae984929a924e9322cb59fd02ef91a41693

SHA512
86a8b36437399d669e67dced6083d2a3631cacce7fc0728e515732b62f759f6f8b52edfede7464a71c48e3d2799bc9df2c15aaed2cab06429fb6890cda2f20fc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
6fb608a52c4737cafcabae2b2d9bedf9

SHA1
d8e1ad0f75b090de486aeddce5d0ab1603823c81

SHA256
d8a61de35a8ffbc22c2dc14635d59184d99c2d4bef464aeb398b560e455645cd

SHA512
0931b980192704e46bdaa3ad1b76331da51aa88a45aa105fb0dee1c71f9d429a5fee61a50449b1cf8b27fd1c5ff2f83691ffa7c94ecfe5e2e4fd181129905368

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
090ae0110a103c893c4a4de4fb8483cf

SHA1
ede9182c0a4d0b72ec2345a1df99681beab92407

SHA256
26cb9d32db630dd9b2b51366d31ed97b4c1812ea76791af708ed125afa16cbfb

SHA512
67b5db306dc35ab8ba180e7fb8122ab0cc253ed50ac7daa6587afe483fbdbdd45298e5b1f4b3e3eb7774d229047e4ac0a2876b906cc002ab3be9feadbdd3d738

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5a0b269cb7f9f3e91b1b2c3da4457886

SHA1
809b052df41aae88fb5332bd4fb3ffcb1fb48b6e

SHA256
cbd225f81dd87e86f3835e0e162285fe27ffbbbb124a7eea8f95d91e84b3a8c2

SHA512
cdec09089021b128f6ddf852101ea107bdc251ae71173b8f2e78dbd63f63cdcbd9bdeea99a7167f9caf47af88c1bdceff0264affca8d8f85e48dbb506c58f682

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
f75dcc5f87262417cc4523e20d69b8b6

SHA1
69fd90f2d4153ec6796902aee04720a5acd621fd

SHA256
c49b30b5d4e42508da742af90ca5d00587dbd9b7064394a33a79827ccdc94d89

SHA512
bdbe1d7abc9bd72d7cedf210fe9d8ac143722a2a9eccd9705d3ed8ee1a435be985feb3e919c34c91154d4b50a438165605f8173b5fb9190b80e0f41c32d34163

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ce3e3dbc3dc0d754c1abc9175a5dd735

SHA1
3ebb5488a8343762aecdab5e58bc19f81a61a85b

SHA256
9d343c639ce3563be2261604bb5e760dcd29fbd012eac13ba4850fd04b6e2f3a

SHA512
87be2d08797772a95ee790b978216b176b5b5a7aefc8b47443e678b1d04c708eb8628d11634a8d77822f768ee3d28ab797fc097c4906aa88c0a57eb4466917b2

Download Submit
memory/1028-174-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1028-234-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1028-165-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1184-294-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1184-286-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1200-255-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1200-247-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1200-436-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1596-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1596-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1596-46-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1596-36-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1596-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1712-281-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1712-275-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/1764-237-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1764-242-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1764-374-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2236-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2236-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2236-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2236-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2512-204-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2512-212-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2512-273-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2576-225-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2576-231-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2576-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2576-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3420-5-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3420-6-0x0000000003D80000-0x0000000003DE7000-memory.dmp

Filesize
412KB

Download
memory/3420-62-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/3420-0-0x0000000003D80000-0x0000000003DE7000-memory.dmp

Filesize
412KB

Download
memory/3436-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3436-92-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3436-27-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3436-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3500-58-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3500-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3500-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3500-51-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3616-159-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3616-102-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3616-94-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3616-93-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4160-19-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4160-76-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4160-13-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4160-11-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4332-173-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4332-118-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/4332-110-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4460-200-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4460-259-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4460-192-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4468-402-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4468-400-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4468-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4468-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4468-160-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4500-77-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4500-75-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4500-88-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4500-90-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4500-84-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/4544-136-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4756-261-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4756-269-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4812-139-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4812-146-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4812-203-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4932-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4932-187-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4932-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4976-130-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4976-185-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/4976-122-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download