e03bb3bdb16627b6cd7237ce7f357dc8affb40f43beb0c4d6b844009f83e01bf

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
Size

24.3MB
MD5

f528d0f5614ea8af232a7269a490e662
SHA1

4862934c57bc3124a43699249d7fe7cc54ae7f24
SHA256

e03bb3bdb16627b6cd7237ce7f357dc8affb40f43beb0c4d6b844009f83e01bf
SHA512

52ddbb0010eef2db7c40bdcff00e5d5c7eb3536e94556fb42cb946a075ec43de427ede721eb2d966b8e72b4d2358624a8a6d58261a2c71dbd6d5cecbb95f78c1
SSDEEP

196608:CP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv0189nU:CPboGX8a/jWWu3cI2D/cWcls1mU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1884	alg.exe
3932	DiagnosticsHub.StandardCollector.Service.exe
4964	fxssvc.exe
2188	elevation_service.exe
1380	elevation_service.exe
3432	maintenanceservice.exe
2068	msdtc.exe
3428	OSE.EXE
3836	PerceptionSimulationService.exe
3540	perfhost.exe
3516	locator.exe
2932	SensorDataService.exe
1456	snmptrap.exe
1200	spectrum.exe
2184	ssh-agent.exe
2700	TieringEngineService.exe
1428	AgentService.exe
4712	vds.exe
3456	vssvc.exe
4800	wbengine.exe
4896	WmiApSrv.exe
3040	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\821a4e88fc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{96FEBE14-784F-4E29-A39D-9545447021D0}\chrome_installer.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029898206f791da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003188fb04f791da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c14e604f791da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004812ab06f791da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004025f904f791da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4964	fxssvc.exe
Token: SeRestorePrivilege	2700	TieringEngineService.exe
Token: SeManageVolumePrivilege	2700	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1428	AgentService.exe
Token: SeBackupPrivilege	3456	vssvc.exe
Token: SeRestorePrivilege	3456	vssvc.exe
Token: SeAuditPrivilege	3456	vssvc.exe
Token: SeBackupPrivilege	4800	wbengine.exe
Token: SeRestorePrivilege	4800	wbengine.exe
Token: SeSecurityPrivilege	4800	wbengine.exe
Token: 33	3040	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3040	SearchIndexer.exe
Token: SeDebugPrivilege	968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	968	2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1884	alg.exe
Token: SeDebugPrivilege	1884	alg.exe
Token: SeDebugPrivilege	1884	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 4420	3040	SearchIndexer.exe	118
PID 3040 wrote to memory of 4420	3040	SearchIndexer.exe	118
PID 3040 wrote to memory of 4000	3040	SearchIndexer.exe	119
PID 3040 wrote to memory of 4000	3040	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-19_f528d0f5614ea8af232a7269a490e662_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1740

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1380

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3432

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2068

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2932

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:932

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4420
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9036e70c8443b3aa520f74a1e32288a0

SHA1
3aac6f258a74c12559634d483cf4a08d00b44115

SHA256
69cb40f2ea2186c515155284c22aad275ee569cbc4b3e54c3b44dc7c1584a21f

SHA512
b05b9990165b980f394e649ae13d090cdc1e3bd7d4f08683546d4dee037d38dab93476a634eea92f71c254125df100774268b955b508b275164691322685c91f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
582d62b952f9e5fd96a64124c62189ce

SHA1
a80c68429c1d3f9c117515e6e0a0b14a57d8fdba

SHA256
56a12ad156a76ca4b05585c44fbc80df1cab450f68259132184274d3d4831fc0

SHA512
5fc1b04152c610c3e2203aaede5b304cb9c88dfad4f14536f1794456c03eb41f5e6db0e2f44f275f95c764782dad4e6efab9b9efb5cb852aecd5d8962891cff0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5856bcd0541c4a0df6685ab86b705277

SHA1
906ba1ff4c388bc18117c38bbc250221f0268f14

SHA256
368490989447b1e939a5d1fe573185e1aa402d88127dafa137bc934bad2931d5

SHA512
ff310987783946e4b7ea7364016b689b7200fad4274995f573629bc66e6c4fcee4d633b5a18702a057f2bf1dc3f6c1780c5c4c5e036fe68ad5978269f75654ee

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d7446a5e36ae7ff406c533f3f6dded66

SHA1
de984dd28ea0948bbc070007d52a7390317a0d0f

SHA256
970bfd8fa7699744ba2abf93b4f05065aa1c736e88edeb8deb659ab7583635e1

SHA512
cbcf7cd9cbf8ec7163ad7a4937a394058e492590893b9cc6301112a722d1265d79f0e59d8a82e2fdb1f4e7a4009abfc388c0b6e19e27902036b28e208d93750d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b8ae91e24ab9bf255445c65ab61ab950

SHA1
17b3d0b4522423ac931613544d2f884901c4292d

SHA256
9d660e588bb1c86a2f2f75a8040fd0596b5b279d76d809d27e13f77e1f8b3d84

SHA512
92d7b851fdc82a04a0d9e28c37e9fb33eb49fb08bb4c5cc3fa28656be595ee707f0f318c1750465f13ded1a232c351a752c42f0c633d3e7e3f7c44abffa377a8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
6ee697fe3a214e8e94506e5193e85c4e

SHA1
aaf5878467883a571c271c379fa44398a7dba900

SHA256
13a9148a08a9c3af10895d3985260ad2ed82177ee9fb217f69563351677e32e2

SHA512
fb5b13de1a6631b34f737e35125ec2b3856d7fa0d98ff2c53cb7c93ef8735aa70aaa24fc4773d2926c160f2c53c4f9b478daa53410cc6c65696816e88c1c1640

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f9c5b7d7fd247adb82d182dd0e1149be

SHA1
5c2e1c4b0eddae952e49fb895560a0ed40698685

SHA256
caeca9fdec6cd764769aca8c25bc712b2889aad3d189472b3de7485ed5bc5e50

SHA512
edf76593e5e0b5f58b6ce1147d29bc0bb8f412ae13b79ce9237d0dc1db04d7e281e2b1f4001457ce8aa035ddf1c95c91f0053c2d50cba8ae3fef249e77bae258

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
305d43ad971abf87ee5bac1ad68408a4

SHA1
0fd42e140d8436bfa393db70664650151c2c8210

SHA256
6c9ed2cdce5d62981efa03f57a26e048efd4dc961149650ade74621099a7251e

SHA512
82aa7f9ed0d86d73fea93979a26e7cdc0d594fcef6abb72e49775cc6de0991e8e8ee205df287a253c4aba9f05e445b7cb14ee8070c23b74b0bad2b584acdb2fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c2a6cad2b04c577b52644713538606d2

SHA1
cd7561d1e3222f9b7862b14be3334f668c4e42be

SHA256
7c351f6fc4f0fb4f4b1a3c58d1defd5ca6bc959b4bba780ac1bfd47fd6d82261

SHA512
a1e7025bc28c38576438f88cf880aac54efe940d04c598768f14b6cc29f2ed83a98b4aafc3b1fada667c2339655c2c0e0838439555a2832f34f4cdb4dca9062e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
aa8798d490ffe72a90a39debc33e6022

SHA1
933a56a38a6e2f597a697811a0a06a3666155e74

SHA256
b9698c72c05468022ec9dda2f94df35d9eef6188dc91d63f45d8d26dbed96764

SHA512
1a44ec5782fd055fc717d3c5d31ac3b774f694cc9709708e9908102f8c355c4a3f1d589a0b7f17a28a5a198acd3aacdafc9341de24127fcada8e1f28be1e6ea9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c18d76aa8f995ee6d13a288731570b7d

SHA1
b86524abd7cc2648bba1421ffdce94930a27d540

SHA256
ddbb0653800a607f2659b457a5f93480d69af678abaa03363d07c797223c5dab

SHA512
98e1a37d2f770466e622e0cc5fcdbc961faea6feb3f72683bec91b0c7f8cb83f4b6d1a408a364f15de9dcad97b867d14eb602ea8a6b2c62eb0200b728eb136e2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ce13fc3ecc534ccdc84648a058e6f3ef

SHA1
6602c34d3205cd0879bca2143fd5a2d9b725bf7e

SHA256
f8bd0273eb701a1b034b5622121ed1101aa38ce4ef5499ce3ee9f4365cd43b3e

SHA512
33d54c625006322c57c124811f6c731e7ba4323e486ad1bfc54e99a42756d1cd1220f5cc0ca866609d95952db5863fd4ac1259d76212bd862e6cac89edfcdb6d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dd8bccedb315e80839f5f1cf0f1ce70a

SHA1
01d6a7963af9bf978a003d2a053b0a2e09003f60

SHA256
78bc81be33be2467c2d41c73f88c7660c386318883fb5c79f64b3248155bcf46

SHA512
0121b0435e3255bb8c3f2e59bff2856cecafc757ec99da36a2da27331cf8730e6afff93683f9a5a5bf0df1dbcfcdbe19194d90f8b86bce56a0a16cae3cc9cc94

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
4c9beec7cc098063f9bc582826c01b1b

SHA1
13297ea97a25d33453ef0628aa821964ada54036

SHA256
ff11c468bac81a8cf7261465dc8f49d4ed7384689f970ca53fc806d1dfa713eb

SHA512
a8c5ebaaa041cb4d6525d2e1d993579c4cce80890eb1dbb4d241206102d1a8bfcd128b1d1fb4a440c1934d6245f2d37356966429cdc3c1837eba07ab7c95829f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
73bf196e89235adbbb85c80d00455f55

SHA1
0c18fa4931e387990c7c99fd1dc90fae46221dd9

SHA256
32c5ffd150c8da6699294714438c316f8a718d38994d802c2c35df40413fa40d

SHA512
8afd1bab22d29098cadda7584edaf73ee5cb9902e651b8fa3dc7b1c1eeae7875269224da417382a1f1ae213c028c8a71f9e3fcaaa20ab939a99ba581086eef0a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ece239ba4fd50f74ecc80f28213e8a41

SHA1
c526043c92f2518d0db7395e8eb5690244730e01

SHA256
5edaa447b6908e37d8aa2652926d5499e8409ec016eb86a75df35e6ba19d271b

SHA512
56edf1e9e793ae61600e020d926f416758a894a23c8b537e6f3a97bdb34887536fb6e425ee9e981ac3b010770812c703056071944d2f4ee7f51a802d9223641c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
54aa99e838a6ae26e2801193fdafa2b7

SHA1
b6663bdaabe45d6eca7521ed833982cc62124a54

SHA256
ebefad67355943082e70fcb233022eb8935c3e4a25e82fd23ba89c6e3225844a

SHA512
6f4eea4042a407a8e34564f030b804721846fb94bccae28c6ca7d3f8749d648a7316a773e85a7235a55c9c9a37ed149b5f031cff4ee228c9e6252eb764093fb3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c1c9143d35bdf240570d4016f6b6814a

SHA1
e95e59166615976921527c882f7320c840ece95d

SHA256
ab8b1b58302a27d85d903ec413c0947fdc2798f7af21a1b78e1b20f1699384f5

SHA512
7bc75be4e5985da406b07c300abdc05740b6b8f3b8509b79354524f1a1f2b5b1d263cd5899c5d485fe971a7b8716f40e06a0fbbfb573c5c779a8d00157a0cb02

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
d0093aa11fb3dbb37961312c63a11108

SHA1
3f1ad4eb2a4e8ebbb3e30e25a9db40e23382bc7f

SHA256
bf87973b4603292062e4cba624fb06a45f98f9ba055355c17df00624045fc0df

SHA512
13ff86831f68c39a5f6a5707fe82a4f490bbefeeae6ca149223b38b777c736513f6c2bbdb71cd1b5faaafc93febe1ffb3224ed1bdec29da002baeed4f8f435b2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5b00d0a2995553c641e78251da6b04f9

SHA1
57f273bdb3343109469f1c4243bbfdbf73b56f54

SHA256
fdbf1049f2869890f41fab4b8f97c2e27a82102572021596331d721df397c401

SHA512
b7123381ff1a51890a76e5993fcadf4296f5a80b7d63a97f503971b09435cfe383055e17555d4b6c95000abc0472efc1a80652382b631a85cdd77712302a0f96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
19f598ee923f295f38c563451a3d1c8a

SHA1
cc73000ee74d60687d06ae72c4329a86a2e6c0eb

SHA256
7c5fa5c39f742134047e25bbd29bcc134199edf748ae8a7400ea1305c654ee60

SHA512
b1e8d37c124273e392a22aa34c33042e6e4fee038d721afbb93baa101b9924374511681446ce95266f3eb3c46dad8aefe690ba743cf5fee930cf5a38fd618482

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
8ae6254f294ac8cc2f325dad4c017acf

SHA1
c748d90feb3f8500ba9538f6338128d70f6a26cf

SHA256
326020f8807e8eb089258ac5c2a1e785a0f8ed3ebd2cb78f28eb2f47b4efb275

SHA512
d46faf138d5451c9a33c8b775e4ec33bb5c77b58cc6f730001ed946ae0245f2071b04ad9b3350697b96cf8bb213a1a661a0213aa99b73a11280b1fa908501cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
ac6b265e30b11b227535fa05dc37dd55

SHA1
b01a963aae1970c8b9b7d484861ee79d243dd62c

SHA256
78a16dcc39e8617a03f3bf9ba68decca0a04332cb4fe9d07c254b4c10237362b

SHA512
cdd22fbf8017f19405df30817b5fa146a3579f8824565a8149ab84c2258d1bf43e1937ccf0be6162a1debbc3b32f3f5a54211f7bf9f02043e261d6fbbb761e16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
29a5d4fc23d42ce5083633bf2ed8546e

SHA1
bd02408067ff9a046c1cee18f5da7b6989165400

SHA256
a7bc6bfc7a90caa6455e96e9290009cc19d19486caee01dc062e029a233ed7f1

SHA512
8408041a14fb887658360cddff37c5fc5a33ec7946a873cdc1efdbc4f095ebe34b03a67ca0ed857984219df7e6f4221a86a7737106c36eaea2954b199f82beb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
d7b75956d0e18cb95e0d646bdadaabbe

SHA1
b7eee583d279fbc1be091c27bd37760f5c321161

SHA256
fbbd7c97f6d5f6e9144c2b76329c4ea6020c48e8175c35dfc7eb27e2acc1708b

SHA512
6eb78a1d73a9eabc68737e2c11e4003dc9ec3d31ed46949426363a7488ea59d282298184f617c0ace24fa77c530c07f699dae356a223882c3533a81354543533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
15f9e5658d7bfc7959737d1174f41f56

SHA1
4a51dd3199b81adfb6a850090c1d5aacb1df00ba

SHA256
4a81f5ee5a5a25ad0c5f2d5158f59a6b6c81771fd73a0aa8375f7cc3b07d26f1

SHA512
57a10caf934218a6aaa81a4dae74b72740ad45562e018751af4b5a9e8da447dfb2f3d1ca72486718e0b3b6a3e2b3ec0565b63b300c3df30c4cb4462f67db531a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
3df384593daa5a42f022f28c679ff913

SHA1
a0acfd090f90d32c41e639bb8b3e7cc602c7f831

SHA256
f42f36119a2c6f9ee9bdfb363bece769fd6b37924103c53c1c3ab58693b4837c

SHA512
74b57e48ac711b385099aa02c73e17c1fb7b295644c3501d999927870e1cc39f2dc7dad8dd8ffcc33459e9606df27459a238c9c469475ecacbaa02dc8c3292bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
b7cde362db1f5b1c89c171563db6bae7

SHA1
17df2c74e5d4ad4f1f1363fbb4d5d7a3649cf5f4

SHA256
7b9fbef4bd984a0608d46b0340d53a7f3236341cd264b170dfb76cf74910d295

SHA512
649ec475efd5eac962aab028bb0b0c51201f94eb493ea3518885f131351ca82a004220c053ce56863ac96ef2a7b5f06c42732e19a0d86ee65854f183cecba908

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
fb77507ec0d76d9b0a5434fab3c7b4f9

SHA1
aba7f0b6bf0267f2dcf8b94d758ebcd97779228b

SHA256
44d015cb1e7dc376a490c12d8cfe75263a0f9c3d2f363358c547d0eec282c52c

SHA512
2f581f8336bb298bab803e4ff0d76b085aa8f52e6cc3342189921f2c952b0fc71fc0c30e98728fafb08a2c730e08c7d4f9ce93f954269b44b5730078c6a755ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
45eb50d13383597e66e51d35e1d8cdbd

SHA1
b60f8b1bda499ff8bba313d03291dd6c336e96ef

SHA256
dc00ebd51d97fc65759a91fc2de9015b1209f0458b0b3d6fc2564e8ca5681246

SHA512
c0937b53e4bb9c6356764e77790e653eb543e7749e49fcd9f31a65dc0c0a1abfcddeae43b66bb6531c51cd81c2837a9be6daa0f9f271f470e2ba20eb7a3ac071

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
9b468afa76ea10d7ac4a1cd145e1b366

SHA1
e6d14f89d6b1d251e3d405e295a733df16341e13

SHA256
72fe69389845ae1a2f2a9db3c0e732f7c16a6b156c652744818d213cd09e1182

SHA512
bcafbda567a35de93422282f98de5853cc81bc87cc49745ca94bd4dd579cfd6081af988c2646bd65c597e1d13ade755c07ea28f66133b6035a83500202d53d05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
6c07ed1f98903fdbaea533402197a0f7

SHA1
b2090fe418e79309f34f18d11772307729f8013f

SHA256
01bbd154ac07f1a50ba4000dfdd6f3b7b1adca645fdbc0316a6290c38e4d409f

SHA512
75f5abe94b5bf340ae18e40aa7033d77cf0f464e97994e6ed970355264da9a9e210279b3ba20fbe164bcdc02a88eb9346da75b111ec28dd9f05f2799b26a075a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
91d3c41c877a9f81f8677be879e0d88e

SHA1
339d1cb680ac1d0bac29472aae83fe953377e2ea

SHA256
5310cdb04b2d3907fa21059a07ccdec928f6fc97b24773442e2a70a7c46c7bd9

SHA512
6b66e435de82dc09661f633396ca5fc3eff9d7fab3a817a72d8e5a37849f7df6932263131c0165a483327225544a3074df91f07f2084c8e922a8c39e25586fc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
603a62c6e8c624cf97c1002840227873

SHA1
c8eb5cf9da647fd2b0871b6b311f95c7f660e967

SHA256
2f2e4d6a305f14310fcff3f661d423ce6fe1bf57a0673feb584f7f5b36f0a672

SHA512
796550a2b5f3564a9536271ffdb9cf76acd4de28e1f08fc60b4da8d19ff4c5b496c4abe030713525e22c92cd690ac383ba987a8ea354a43f91b31d10e23d8761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
89aee1ea2725ff52b4fe79e34119488b

SHA1
606b5bf90d6e8b034edfb3510ad104c91a2dbbf0

SHA256
3ac25bb2c025bf46f750d34e6870bf8641e3ca65136cb5d04fb84bf4b57655a3

SHA512
d52f0b7dce278466c86031ab1df679d4b7c7ce4b8e1b006d3d2d1598c36a54acdc3105ba9dabef6d5f788fcc8ea3c62e194ae81e0d9d59f5ec6a4c7c885b238f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
710465fde5106857d1844c5669940c30

SHA1
3ca44f00b70580f2371b3d70bf9b7a8f84bdf2d0

SHA256
b59751d08197cd723040971425d980c0e4acd2bf65bec47da5a5c682cc574050

SHA512
14b8829154c99f97017ee1a253d9bf22204a0511d8d7f29c0c0f133b4ad5a65037941e36395a752146fb0301e090b4d38656a2e30e9b329e60e230a2650c1909

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
469dc19a5ab3d2200feee98d52a4a475

SHA1
49346ee04e76e5ceee8a728d602aa2f34e45dfdd

SHA256
b3a3d461997497985c8805f0fbd71e1552b1709dfda8be29b01e883617873e07

SHA512
98b38664f6284e125cdc3c534e7093188bf7627f528278a5829f055ef5f05c2c4b244c16a92c145979f695871f22348b09c6b8b047b83a39d80d35bccfd99cd4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7bb7580699cf6f68302fd21ad761a845

SHA1
ca9f55e73575a011291b0a22b855b1b732a94736

SHA256
92fcf60e82fce0fd7072d8de774986ed65d9fa5607271bd1b1966633dea4ae9b

SHA512
cd6184a6c8cf39d120b99950ae5552aba1830d25addc604a4f7aff8d5f716afee1d70ff8470920baa57abc771911df8d61a6fb133cbfb80d7565ebc269e78644

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0574f73a71ed5870800a4599c3b437ff

SHA1
3bcc8265fe99431457ad48d97cc71eb35635553c

SHA256
cbf103889a883729fe857bcd1f7522ee71211303a25c6cc0d6e5046eae04cdc5

SHA512
def85af41e00ed3da654ba45608ae60a1cf17ea6ba9f71f1c71b9eef9945ac47ce01b331aa3537a39c60b486137206233d50c578c7cb8b54d9161f1410c14ef2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
e91c445f92100a55c566340a6b3c4131

SHA1
5799b1d6103e80d7ac05c767f0ecb989d1a29f64

SHA256
10596e05d3928aee9026bec11541d94bfbef73b5d2dbef3e30c12b16574b9a07

SHA512
cfe52e6a40b6618b7fa742b15322692ba4bccaf4cff07bc421f465ed19d57a64d9b00e54f63e068599d1f67e7aaf7d3e4f784e3635207328e7d5f774ac4ba0e4

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8b0f077f20490c9760b3718a90c0f5b2

SHA1
244b233736e1d64cebdb035fea99e394e22361cb

SHA256
961206ef78f21503ce2889ab0b8cc8014b0d979d35f9e7230b1ab4c31c7de2cd

SHA512
67e02bd9efa44dead0ad973f4f2b71495254a70d179051f82437e44d51b1be8474a735bbf190ee367aca1c4487f1a9f23b5bc0f6213187908890baa79fc34130

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
8b7d06146ef9d70ff19183c78afd9b12

SHA1
4112a09397491d972ae4cf027b19a8404e0170bb

SHA256
e2444dd49570ec42562b7ecc54df133f14a6f689775d593434ee5f768c963e94

SHA512
8923c49c8f3b7877ca9e36878dfbcf2404fd0e3dd173e4f3347caf37e87110727d553f35d9aacf9669911343658c8c8b1c533d61b8e69c3482fec9e868569340

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
eac62e6b11b4a650a8963d49e7b7a9b7

SHA1
8fdd9fe5abdec4f0fb53c2d465f8d893b9ae7ca9

SHA256
302b5721a1daba6cab297ef7c8d7bb0fda86b7cd9e694c4c7a7933c3e440c366

SHA512
69c309cf0626a409bab4fb6421e93e56af1e2bdece9f8a746f0f24b34148933cc42ac0fb5bef2e125388cb288409b548e629f84cfbb1292a19f442257e772c67

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
2f3d76666be8e5c0819b249baf59f5d3

SHA1
995056d19e7422ac01699343432d78b82a7fbe6a

SHA256
65b91e81cdbd1277989ae3ba3e0c923ee3a7cbdc855bc2470de419f735c6b0e7

SHA512
4522242f3e062c46edf887077c2032a40e18fb5e846b293fd0e973cdd2f4a0e78971a0489d5499fcac1356faeec52b8a091e0dff394060fe97fa6d9af729849a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7a7954d8c25b47067b6835abf7e351d0

SHA1
4705103703d47f95baf80bc8afdd006c4152f0d4

SHA256
076121c767fd22760a01bc3c791f36cfb0057e53715ec291732757b368dd5d80

SHA512
f63673d67bc9256466e5b18446287fe20d0c1ebcebb7a418abf8804519712c71abf0dbfddf8026e9874e35d71ca58454f02c6bd97d4d3bc6e4fd034713ef094c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
85d8eb248f2122289e91a1d4bafad131

SHA1
e50c06f02a259d2f3eb15a384c12118ac5911640

SHA256
27e4b440994a5cef589f025f710042122a91d7a2497401d7cccc37570ed5e3d7

SHA512
d92767653b8c53ee11cdf2c76b45a80094163b5d42c06f36e611c85fae14ddd19977278d05fe729ecf06478abb5e7a519d8df90fabb9a18b799974ce6401620f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f5617c20f5f18ce71a0c32c48099a370

SHA1
de31d8e95c411609e1743a72895137906c454ed4

SHA256
9207946263d04361c35aff21f9efeb47b4ff185f53b0f973ae75d4d7064f1438

SHA512
77857a4725e421ea2da224af3d5f3900da3f1bb13370dd0b4daf9349483b55338314539128f9e05cfbbacf92e057ed98223cbe4a176ffbcdb2639922c6b3627c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
f657cfaca8580e6f715c3cfe50367730

SHA1
f258b4a5ec36eab8991a2ade1a58f7f207ef2d25

SHA256
b5c1c4ed29c52725dde622ee132fde52082cbb853aa2ee209e56d633bb443c68

SHA512
4dbe33412a841863e8d34f9508d5c7a798801c20521343ef78ca22b5cfd6e5961272ba129243d49abefdf9c917bae75f06eac4e33102dee346901cbcb7de4395

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ab9a96835e4c8bdb78a812d22d4ef660

SHA1
717061a5df45b19252f66bdfd0554e322cfd9261

SHA256
715d1a725ae925f3bcdf980e64131b70c45f083f015b4b8bd302b3a1fd6b2bb6

SHA512
1108f6877fac14031e26f6fef8987288782d2126e405ad5d382ca2d83aee22fc06e63f75ba55854f254e862ed901235fa8376f6c7820a3eac6667d24237b906b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c5263a7dee6c47321efa812b72dafa1d

SHA1
ee82a0d0a06e40923249db32e0d106b78fb99393

SHA256
4446815f3302a0f35584f7d469af5984ff19b456823540480c09fa76a5175a98

SHA512
696bf67806d501e7f79514768f344d0fa40df4583c8bbee0b4d17b5cef139f075ea3d954a525ba25f9dd88a0b2a0abd5368ae9ce052e9562b779b84a5693ac94

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
3736659ae0a5dfcc1bcdd67855db8e10

SHA1
aecf13250e0e79ef5aae069ddae93c5feb4e07a7

SHA256
f4718f855f18ece2480b66b18be88bdec77dccdc599b2e1117709e28402aa9f2

SHA512
4608a15fb3547a600f6f8f50ab4b91bf91521e1f1c985cb1a5004a8cbf8feff938327b5741a441f9d4ca3a65adeaa86700198ee2258ad34f81db69fe028db7cd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
4719894f0e43e2f6e1b8ba464e3df849

SHA1
52e3d8c948d46928414d3196cdd241f8672dbbe7

SHA256
398533ef7d9bbbc0cf9534027914ef846c1fbd772ab2546f6e32dc0032936761

SHA512
4a012b76b9be606b7fd62894e28206397db45642c54d9e4689c44ecbcb89ba2ccd2f35a22a3c88622e5bb6c702fbe215dea3d8d2ddcf94d08c5ab0d8fa51d4f6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e4512460721932a802ab64f64dd8e2ac

SHA1
88e7f8a983fdf1d038b0d9a8ccecbda6407789cb

SHA256
cdfd69d48c89ed070235b1992f8f73992d373f204b3d8d85553feb262022f587

SHA512
faa2d8844ab6f911f33b15d8b7c382c3c3896ba1fbd7c98a9288c22fac36c06bfeb13e705915061dfd20644290f55eead0b1b90607c039baae684eb5b048d86e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
442ab00ce2306c0f69a55f80d95d3444

SHA1
550713b8cd3baaee41152a6b4263e49418af9b78

SHA256
e5fae757831ff6075c3971ffff14b9e97ee31ac10e69fd9f61c7884e44170b10

SHA512
3f39fc47882b29cba58a67a67b38a688fed20ee94ddda5c4571cac53838e1baf73850873f2ad0468183dbcc495eed8e7b3f0c46360884a6c2ca9887cb7058502

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1f6da75d1a8e0492327d6215f8061cdc

SHA1
57aa0787fc57ec3524902f5948649ed340e04d34

SHA256
fcea5c1730364f2c4fcf427d223e1232ed530168d089ed54718c08f92964023b

SHA512
d9cdd339d2ed05b25a8b10435aab4652f833e3d69901d11c3d1ab85b835c0382928f2d393989e7c4cf7dc90c871694acd777ad68da4d173651a2ec71c7c6d5a3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
faf1b331ef5edfa776e5f03844da4341

SHA1
f18d4f854145d282f6e47f3b37976694c02d1af5

SHA256
8ece5f6c17a437803350486cba9dae3f9172cdc23f8d83ad3fc155a6b46015c7

SHA512
1c45799f2b3a59d43980c700dabc1734563f7215003abc0ae65d2103f91a5952fe814e85b5f2ad3a383e69302be3fb3f0a643243e6e87f14ec02c3bdd6d3a262

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
d147808fa6c91a2c1bb235a4aa92c0da

SHA1
af3c0ab37fc725fcefd01078fe0b1733ea9f9aed

SHA256
fdbd0109ab3f03ab908812690096585922082f9b1c37808c22058cdaa501c546

SHA512
d6c14f81384b2b422d23bc2a53bd0561dcbddbd1d6e466ac54db71cfc3926c9ccac530634cd6c865b036b4236c7396e9f1069aa161d6985659193fc269f57cac

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0ca93a37bf7eebe48f32815296faedad

SHA1
b56637bcee01f08fbd305ce1c39e069f83f09dd7

SHA256
e2364009c7b1654b749be8cbffb6680b68ff472653a96ec0e7cff9190e449681

SHA512
a14aae4ae5b5b1310a1bfc3ba4c7e950b67af4f3404415732c1ff2eaa736c87c4d901560dc2e5a5cceb140b692262b68c38759e5b2845463ea3a3b4d37d868ff

Download Submit
memory/968-3-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/968-65-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/968-7-0x0000000002060000-0x00000000020C7000-memory.dmp

Filesize
412KB

Download
memory/968-0-0x0000000002060000-0x00000000020C7000-memory.dmp

Filesize
412KB

Download
memory/1200-186-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1200-247-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1200-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1380-67-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1380-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1380-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1380-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1428-226-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1428-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1428-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1428-232-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1456-163-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1456-234-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1456-173-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1884-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1884-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1884-74-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/1884-12-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2068-93-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2068-92-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2068-100-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2068-158-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2184-193-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2184-261-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/2184-201-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2188-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2188-51-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2188-52-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2188-58-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2700-208-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2700-274-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2700-214-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2932-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2932-159-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2932-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3040-287-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3040-295-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3428-116-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3428-106-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3428-170-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3432-75-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3432-77-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3432-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3432-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3432-90-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3456-257-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3456-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3516-206-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/3516-145-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3516-138-0x0000000140000000-0x0000000140129000-memory.dmp

Filesize
1.2MB

Download
memory/3540-134-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3540-198-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/3836-185-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3836-122-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3836-190-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/3836-128-0x0000000000B80000-0x0000000000BE0000-memory.dmp

Filesize
384KB

Download
memory/3932-25-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3932-26-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/3932-33-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3932-91-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/4000-440-0x00000202B1690000-0x00000202B16A0000-memory.dmp

Filesize
64KB

Download
memory/4000-438-0x00000202B1680000-0x00000202B1690000-memory.dmp

Filesize
64KB

Download
memory/4712-243-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4712-424-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4712-236-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4800-263-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4800-269-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/4896-282-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4896-276-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4964-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4964-47-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4964-44-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4964-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4964-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download