b401090af91e6bdd212c354a813f17325346d558731e3d53215f2b218704d96b

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
Size

24.3MB
MD5

35ef894189945537133ca121e4ce532f
SHA1

7aab397e256a9e8f8a80535e2f220ade3a590000
SHA256

b401090af91e6bdd212c354a813f17325346d558731e3d53215f2b218704d96b
SHA512

272884f671f51bca369a339e1599bc0c368e456eb51094e03795f84eb37b149e5222f694527dd0898172ff378b35bb00375da543de7bd2e0f71300b1aad56644
SSDEEP

196608:ZP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018LFZnY:ZPboGX8a/jWWu3cI2D/cWcls1sZ

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1848	alg.exe
1652	DiagnosticsHub.StandardCollector.Service.exe
4372	fxssvc.exe
1928	elevation_service.exe
4772	elevation_service.exe
2152	maintenanceservice.exe
4000	msdtc.exe
1336	OSE.EXE
1768	PerceptionSimulationService.exe
1344	perfhost.exe
2088	locator.exe
2612	SensorDataService.exe
3688	snmptrap.exe
1400	spectrum.exe
3632	ssh-agent.exe
1680	TieringEngineService.exe
3316	AgentService.exe
4376	vds.exe
3452	vssvc.exe
2556	wbengine.exe
2052	WmiApSrv.exe
2672	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fa56c358b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exealg.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

Processes:

alg.exe2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000282ba408f5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000398d5a05f5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed29e208f5adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7aca207f5adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe

pid	process
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4372	fxssvc.exe
Token: SeRestorePrivilege	1680	TieringEngineService.exe
Token: SeManageVolumePrivilege	1680	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3316	AgentService.exe
Token: SeBackupPrivilege	3452	vssvc.exe
Token: SeRestorePrivilege	3452	vssvc.exe
Token: SeAuditPrivilege	3452	vssvc.exe
Token: SeBackupPrivilege	2556	wbengine.exe
Token: SeRestorePrivilege	2556	wbengine.exe
Token: SeSecurityPrivilege	2556	wbengine.exe
Token: 33	2672	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2672	SearchIndexer.exe
Token: SeDebugPrivilege	772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	772	2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1848	alg.exe
Token: SeDebugPrivilege	1848	alg.exe
Token: SeDebugPrivilege	1848	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2672 wrote to memory of 1164	2672	SearchIndexer.exe	SearchProtocolHost.exe
PID 2672 wrote to memory of 1164	2672	SearchIndexer.exe	SearchProtocolHost.exe
PID 2672 wrote to memory of 572	2672	SearchIndexer.exe	SearchFilterHost.exe
PID 2672 wrote to memory of 572	2672	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_35ef894189945537133ca121e4ce532f_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2228

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2152

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4000

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2612

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3688

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4376

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2052

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:1164

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
2⤵
- Modifies data under HKEY_USERS
PID:572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3976 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:5248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
dd1e22eaf276883ab32ab027f48dbe4f

SHA1
7657a29bace3977a6c2aea45ad4a1f2edc3554ae

SHA256
32364307fb5047faf346b74c0ab3061082efde1ef443969be757e6112505ac41

SHA512
904e73362801228cfeb4276ddb4714d92bbfcb9bf384b653527ded12941f03dcd30b4683e7c7e9173b1fb3438fae7b124805a3811fa9d03d6395fec33eb81857

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
223d383ecb001a7ea7d336abd5fd7a58

SHA1
19995fde6dd6c8ce9e1f27869e3a11c24db172b2

SHA256
9274b5072104de3142c680ff835d698ec188b1df3bc46bd4d52ab12f774ecdcf

SHA512
19fe81d4616e677fa2f2f6542041dc588bc3ac6655fae3b4c3ba5cc1826053162457ff84dc87d6e81228e7698453118fff52d3095cc08eac025bf321522b6988

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
da338d7e69c99f3b29830144f8842e1d

SHA1
0d5f4e09f5aab8d72f674f204212d1c66dbf7582

SHA256
84724b5daa512f5c8b1e643e75e25bd86eda27a4e645218645e9b85367606ca1

SHA512
4ebefa6c01cec3983c409380ae1a98f1ee650b12506be0af7918935882b51d2637487d0f5efec6efec161e342a996d4aa9afa1349c145446d6e3bb9321ebad7e

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
089653bfd38b1ece3b8fa79d8f355077

SHA1
7648708db504c0c8c50cffeb769e3ef04e3a1ee7

SHA256
9176cfbfa3f2bf429d74eedb110953651b7e9ca94d5cc04418ad7d92a53cd251

SHA512
4038828ac1dad1a0814db6c80aa83cfec8bd4f647114ce0c700d172cc6d4f5fd9d6c10691fbacbe02531045e3bad3d9739a81fd774e45a90e7680a28ffc637a0

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
c41ceca851441218be986822941d83c0

SHA1
ac8b25d191875ecbfb2bd5f3591119693d30185d

SHA256
d9225af7f50734f5701bda4040252d92b7dfe811d17b9a2fb9f8b2302ca7de3a

SHA512
7e587752e4e80d539a070a0e99ecdf580327d6753951af2c4dbd78ffbe5d7094285ef3994580f400f8d1da05e2c29af190e691bfde7e29e4560d7a30a0292df7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
a32ebf2b22cf75c207fb67904aee1fcd

SHA1
a01a1634f0582410ddccb99dea3c13da53380aae

SHA256
b80c3d221e8467d0228ec3d5ee118d76a4c55a6bbbd642487a3851cb2f1d4d13

SHA512
fa2f5d7da2ad5e0d546202141160d790392d645938ce015ad22729a53f88e785472fc17151ba247f4bf4e5767bfdbe41e88d649246ed62ce73947a8fde7959e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
130002458b8c96f4770afc70e521aa60

SHA1
b261869aadeaa28f221b84d870429e006a13bd31

SHA256
2bb87657295004f7481ce75c387499934a5e415625c2d13db7bf867323add706

SHA512
c3b050487e2c7adae17b2771ab2d3404d06d3115b23e5538a9f1c1dc977d023ef51bba3a1631822b74afdd5449de561f891dfb70d8913e0118c634ed88c4a914

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
6188b5bc7515182362f04f2cbe00dcc3

SHA1
705604f0344a77891469482d8b68acbdb48be95d

SHA256
c093c5b56f95da75e50b3772aae4cd57b22248671900047d9f48e9c6135a0b7d

SHA512
a211cd1aed650b785eab9ff96b4dc946e6cc04fd25593719ffa768ead7ba34598bf93567b3d83a7f8c1246266c18704eee474fcd7c986028c9820731c041a422

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
92a87cb486f6482740837bc0e1f41aa1

SHA1
6d07f58b9276dc72d47984929e24308d63e5c622

SHA256
5127f816a6d63d4ff7930a0a8408ced6632e477331859e1e008bd586d53df1cc

SHA512
1775cb5429fe82b5f4c7134bcff423290fdb50bb5ed1f11569c991366b8db0d11573bdde8f211882e49afa4500835b0f4639e7fe9cdd8d0d6282db76ab4d5632

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
e3e741a93913a3378c12e5ab11e29030

SHA1
2640ae762cc89fa0eb7433d9ba525beda31074e5

SHA256
5be4335946f4b64bf10d16712b0a73186abce7c28678df2776844c9078e7aed5

SHA512
2d03ac18355de69948de45003f1c04b2e3026a5b00b8579df14b3b3a821053f94abad12f511bed50f623ef6543fccc3386622ed4b7291e00d7a8c4e4d79e9f9d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
53c2eba93641b199d59a34b0312124bf

SHA1
42484548b623008938eddb7e7e22b570d5a9b38e

SHA256
6945e4722dd49d11f39320c58719d39d6ac04a3745c0261e876a1fad3856c107

SHA512
6b0a24e98856a85d9f8e277232a9e43d30157a0512fefbfd58164c7dc18a4206b27bcd11ad83f0e7a93f07f5f548bc018be0f4db1db04a1abb7cf4a337810057

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
01019e56e58fefad0b53259d749ae35b

SHA1
f80a4232b35f9ffc1ba4b5c415a8cd48637a9810

SHA256
cb1b8aacffa1d1b39683f24c0d3ab3eabdf07586a2bebb6890fd4d71462c64eb

SHA512
3bf30007ed7f4e6345ecc94281ea497ff756f9e15125e035ddaba77d1f467e0326de5c5ae9f8ceec6cb552047d115120f0305caebfd3088d5fca85cf52f8c54e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
c115f9ea0923733ad5a8b0d2d079bdd3

SHA1
06e364d3099df6f7c44e903e9998a245f20fac08

SHA256
f1177e927420e1fa40917cc14692c707e2fff24ff9cf017bbce5f5e37a2aac49

SHA512
a0accec459f970ce7b7405c1395a84b2e2625453b29e7455f79817856caf080ecd1d7761e31374a504cca64cfcf772d353095b9f5dac92bf7fd94c0fb4083118

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
60f285083cfe137e8bf9b74e76330b16

SHA1
a7c71bd410386029b246a207670f6cfc5987dc7b

SHA256
280ad0f596ab9558bbffc9aee811e0184c5c61c49fe7104f69570b62c9aab8fd

SHA512
fa7aa2bf3df21f1dfeb7511387928ce391008a9ae4157eaad7fc111b11c490c9375c97d80782b8d677672ab22108d5a9538bf885f02ea5e07ee8054979c75870

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
b30b0fbf2c09b7ff2718bdd955743420

SHA1
43eff4eb0914d075e73b7acb3c0279af78b4206a

SHA256
f31d52fb90c74596994726cf8ee887df738dfdc18451dc4419df6857f7728cfa

SHA512
aa2a49749404811aecfddfafcb50143d65e7e26cadf35d4cf6aa76e7e7f685c5e10abfc5a1a3715b7c4b9e7c3d3fd7953db2142e6de8b658e814c7bb12b2d8c9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
55c5af4eed8037a85fa05ba8a275043f

SHA1
6b0127270371d7bf3185a4d812ca188f114b07ac

SHA256
cc4906883fa91d049318a0cc6d3402598e7f49cd57bb45344c025c133b25b336

SHA512
011adbd42e221ef14143227366f365a14bbaf14f5071b42dd4d4e189eb28b4be25fc0635517927be5a97598d5428e8041681049511d0cabcc186b8a06395d858

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
576a10d24fd961e8f295d79ccf79b1af

SHA1
d1c2efdcdf4290f09e7682c85d8b12e13ee6af05

SHA256
f987bd706f4996d1e939b2fbef6e15042008aea3fdf54c8b84a5e0951f7f430e

SHA512
61aeb75b3b9c64e2520400615dec5a9f56993e7f3bd4f75c05086f1a548b4833b559dc6212344eddfd25066038aa0a0e7a04a43cb8e911881b5ee4e2f96fadb2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
9124516f01655bba70b9b566958b9bac

SHA1
7a6c0ac2c08acf8e1a8ec2071a60638bc21f1655

SHA256
99e76cdcfe25bd2b60d7317ad82da01475c88608d617760c0bf843f686e934bd

SHA512
2072d834cffdf362eec3a69a660958ce30c05d293f706e560bbe117caf95bfbe2b53b6191562c2181a07f0360a1849c01e4b105be2d48e23eef538460a9ada06

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
6fffca6afa1154a18fd2c505b91bdbeb

SHA1
6821e50d0719059825375edb2478270077797e01

SHA256
dfcf7933201df9aa92758b6de82b0a22810e7a526700796a471895c70a19013c

SHA512
d2e35f206055778b31e87a3e0aeafe5046781916a2e72085b46334ddcd4a5e21f9ce33dff2b2215e07b3354633088bb7e19f675d40833368cb4248a1727cc3aa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
6cf5b1a82cbcf8a924e6de389d2930bf

SHA1
03cd31ae2ff183d190e7447058f9a93ca63c498b

SHA256
89d2336d4b5d185a94625d157c4f31e437d1e05ee5298de38a98821a2cd65337

SHA512
71db39a6e87c27996c672243e79ae1be3355245f51f88f7c4b38a35373a2e1f316e74b23e3a8a8c3b5b49c29ea247110ec90b6bc586055ace4430074db85a3cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
b2c8bbb5a593529e93b9bb143446a354

SHA1
78fd8c98f1b48ec9ff2aea90a8bfce15af1f90d6

SHA256
a29a34827c32ecc25555d5d4b83138c3bb53a1486121c3b194c93ebc05cf1630

SHA512
230dced0d8aff9f2cfc5f02f7c7dde2b98c7019a8be375349d03c525b18305ca490fa652f2275d02c621913ab045ee1fdf4d1aafb5762bb84778281e9c56416a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
e061954d85184eeb342fe61fc624c979

SHA1
3bb387167969bfa12c7dc2df36ff740335fce11f

SHA256
64aed76e55700d2896b1b7698f90806538f2e80c3a88fccfe344866a941c902d

SHA512
9db28f0a3abc5c837c423c510172c832bac997fb4f5319bb848c0663e37fbbe864957a9c070c20b22b3800506d99864b14ec75efdd0fca56bfdfd436abe238a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
0688635aaffe07401b3bb94b0f7f8cd4

SHA1
a7b3f0696057735abed946c3cdb61203b18622db

SHA256
a8b2dd72a6c84d54184a3428cd6ed024ea78cdc86e51a6a10038f2ae1edfecba

SHA512
bf0f4b62da0e6b8e43f829be676fffb250b1a38cab9620e35f19902da769cdb309ee56373b30abdbd63c30aec6107173f79a43bf904ba4ce29b2d1c3c6b12e79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
b3e4b588f54078521f6f557146274325

SHA1
93ec7c36da5fb36136a23277191a6a245ad12caf

SHA256
59261d748dac7060d4a45401338b155ec398c5ef82bc6f240ad6e37eeeef5ac6

SHA512
08f36e4897e15f64de3dc3a56498fcd860e94d281b969c3bd1830a51ff84a6175d2f36187a89dec585b19e0772c747b18a91debbdda828d2d116ba1c1b88015b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
9255fa1cd707d13acedf1f191acd80f8

SHA1
69740f465f389ad4ab45cf9b73edc0a768db76dd

SHA256
164da984b231f9ee5b3f5ad74257a63135de50e72e2aeb0334bfcd04c5afb17a

SHA512
ed40d62a9cf103927b5d3c454fc65b33c5dfbbd1c91a03b39d0d8eda99d7e60e90d032b496694312dd8bab7eaf4fa4250f6f3e3a71441191bfe2b9dca3b7e912

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
d64ef3c76da3e0e7e06470363c87e552

SHA1
bceff45dabd289e0af92536a971478ebd6e4ee2d

SHA256
4dbaa0044a8dd2cbe6c59683ceed4bbe0682311c2b0216dc624af4d6403675aa

SHA512
7a06c49dc1b6abd62c5a9614b5c60a1d996ea082a2fe87c6201be2b33bc5ce7400bcbb148712df2e0129e31c4ee6677983dc43023ac1cd72d72cef894131cace

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
0671c95fb8db0e06add320dd094dc43e

SHA1
f7a4f5e4c3997a401229d72b9880b0ceea51dba6

SHA256
3c71b000cf7f13b227a3deafa649d9d5cdfd1c9e0d37bd4f14133fb8039f8011

SHA512
423b998fcb4ce3b1568f6cec46a908d1567d31a57834eef98ae43b72009e4b0c006e09d29d79d4dded512027f696294904c8fe88ceb3db786c6fbc261166f3a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
1ab12e149053cb1055113fb588cd2f64

SHA1
4cee2232321deb9f8fb1e6b2b47d6a7944e32d01

SHA256
24198a420dc10a1581b4844d5612f0e0502cfa3f2915429de548abefc2a94ff6

SHA512
88abeed328526c02b3365ecb0ebcfb52acffba8227104939c256411d0cccb03165f6b3d175779b436ad6bed14f481b27aab78e2201a8e4637f0f1b529da5340a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
7ba13db3c1c71d39f1bd052b66b56720

SHA1
a6eb7ba08e7eb687700f47f12f277e73ab9feecd

SHA256
658db5f70cc74bb8665cee861d42d42c9220cb2b77b1d93c178563f5787d0bd8

SHA512
900a8e35d5e2463d36c02149c01543ff5b90c7ddbc37854769d6a7a7eef63235ee0bc7977808767e1e6c5201960c02166831069b230557afcbefd09adc120839

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
a13affb9cd178375191a322e743f26bd

SHA1
4bbfd6abe1c4e58e9d23da48520566eda476eaf4

SHA256
bf246f75d1602d5f34d91ca3da72c09d665a401367a4ba7353d4f3192a41d2c7

SHA512
e6191a2acde181ea7bc92b06700b1f88b74bb4a93e3e17afbcba67397b924105b9362a8c25dfd6be7ce2a3e71b8619c5962f6bf8963a9f25439af0dc14758225

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
6c33f03d5342dfe2e5354c79e1ebf8e7

SHA1
e96f60f53dfaeecc919a54b6e0f48ffa7bf25232

SHA256
7e70a47f235a8bff401686188818a9148409eeef410da019c7ca111df6fc089e

SHA512
ff409265c9453d466663d2074114a68c9c2e225f3f77f6e36819a7c458ce1c6ebaee0cc55b7341c905549b47ed89a691125cfe1d5743da5dc90b401c61c17e15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
f909bed5b1634c79cdc42ea37f923080

SHA1
426efeaf6815c0f38a09e917762fa26e54fcb3a6

SHA256
a4324dbe78835ea56696add739b3dcc0224e3e0ad55a8435e495b29a7ed6ec1a

SHA512
03d28ff24d59bb9b20c4b5fdd50e6083ce42eff6fff8da2f1b496cc41ee0f4962c12a0b337c1165c6f7f833861c09b6d514232a87a1a06ebcb9b09dda466c4cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
11adf747ca75eab015975619fad86caa

SHA1
102440588b28e13d8897574b68fcd09c5650c7b0

SHA256
19795c820e88a251f354f997bac0fe13578a8f79f96c0759fed0f595f50c295f

SHA512
b10dd38740d72f51bd6e620d943137ab50a976490803c7ba3c723185171b8193e5f8ebb7570a87d6eaea5a3586cb6e4260691c6104c1732cc97c95a30af4270d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
b2779d2bb3d68d13f73e5935d19f19ec

SHA1
96dcd106d216d2b474a8b735b5be7c4d0470e3ba

SHA256
5f1f9884650d8eff21da0077c8c17e0eeac516d15d083be2475b888172f5d070

SHA512
0e3e98604fa779a2e5ff245e5ae0ec1184880d5c983d5776dff783a6d9ae48228d7513afbb1e6f5a1ef763e2703d3ac18d229f193034ac8348bee52a74b1820d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
529e5f0d6c5e277fdf7cc634eade03b0

SHA1
dc886a9e6236b82245e5c976733415ecc0e0e3b0

SHA256
4f9358cc2450bd2adb2d306b6ca03e73fb472b2b4ed11193eee33b92d373ad9b

SHA512
78249c08626fa74eaf3a1a876a53989f3c4239f74f7218a52c33e19a81928e8c1087d82510be914e2555cad58085d65a37fd2e85632a9fc0090295c633f2e278

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
02cfcd3e82bc88d3c1570d29f0091a7a

SHA1
bd4a72a446ef53d39a8ba2661e2f6f7a3d7aeec9

SHA256
5b16f5203dce291ef6fd165423930f6c73c140ad1a5e8fb00a036896e5e1b8e0

SHA512
5745de910811d915b059a33b21935d63da9eb9ec01d7ed75e040a9f562a9bb9f8215ddca8c3ad121960a40f5870d71a4acd7007fdecb7ae1c6fe8ee6632af1dd

Download Submit
C:\Users\Admin\.node_repl_history
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
1da3d3b6b37c849e28acdd222bfbfe39

SHA1
99f3a03147749b7cde936131fb1c9f90e0a2b2d5

SHA256
6c9968198b9b978703e5f842a0d992af4acd604cee8d9f68d0183cb546d68262

SHA512
a99798e06e7fe0c4d596219edd36d6b489c00db8a5cec9062790882cbbabeca91237403e06fa64f77ba16d0142b17f9aec7d1c496aa86c8bdb55a84119f84a10

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
1b8ffaa854d8459b6c40da83a367b70d

SHA1
da6c699769100150404a05b18fa314a1f2c83b40

SHA256
e3891d1beb5f1d83d8413ba465f028376b3c94f3d903e4710bfe4145f7ae69bb

SHA512
7a4671d03a3871b824a4aa171f498a843c3c8695aac39077abb7091f52607707c4e9af36f1cb7cda2d2841b62364f6f67c3bd3c4731ff71e55d3d52646b542d0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
24f443be5fc20cc40776e76b54c97f56

SHA1
7de2b8fa0df89df0a766ce8c9ca1a733d4497c3c

SHA256
c6847e1ff02d6355a5e21478558b896efa1bc678d73d5d2a8bcb2016ce24559d

SHA512
795b464c61ccacd841dac594f5ec701d57b978c73c14248bd84ee9952679cdcd23f2d4571b3fbf2325aebd124a3e4f12f24b9b62023575b5ecf4fae855a08faf

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
b66ac4e3c775ffcb7e9c41417788ec50

SHA1
b6173b3c26288b5aef543838e64b24b3a301547b

SHA256
f2d8e62071b90d2294a117bfb69a0162c6007631fb70269a83ab3bfd7072c978

SHA512
bdc0542355aaa202be95d69cb49467bf05d7f3faf3092209e3b793637298d21a236aba5aec670b4b735de084969a99fe2b42409c64ee91f24bac5942c6a19080

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
1c344c33da3ef02cb6ec61e61be6f868

SHA1
37057c09d806e3444ca05c4add3d5c17a8798995

SHA256
ba10f191d9f87549ed264320328a76d83a48b909e660d20553ed6169b42fa5da

SHA512
1335733c015f6e196b2e9c841dfa8f5146abae10fabbdd90dd661b9c10541765c74d99d02be6ddbb179376484e4a4bc1e64ed6982c1fea25ed8b71212ad2a295

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
8878e5c0861078727afb9dd0f28c00dd

SHA1
da04bd99fb29f972bbd49392150a8501e3579c66

SHA256
b01e9e5910c4805e23dcba94dfebb28e4d283443dff13282ff8e64df84571032

SHA512
9ba33d76aa4eef7edfece9d0a0884c2f8e9110f9149d22d51a27b8d7111b66254afc60e46f2c8f7292d3f4374b9d7a2884e0edd6e3d0cbc262de37476df0ec1e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
d69781cc696c10127edb5dfccd22cb0c

SHA1
fc4ce0b71103852d3145db6dae3f8367a3090149

SHA256
58ce5032eb57cd0ba15cfc12653e9bb88081e0ca5725d857cc977aaa91050a90

SHA512
d6dd408e573ca7f6c1877a0d859fdc5cae282c90206dbb409a6df49d647acfd8c7bc7d51121047b355c550d3244db1171c470c802cf37254e7878dd8cd5d60f3

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
39584dc63f7d728af99a77e5a3ca067a

SHA1
beab99d43f9b67c52d371159c1f4ac778280b417

SHA256
86853bf95ba2a309788056ae2bbf2fd8e421e8271b62e6b81fb665df8ab8e457

SHA512
0cb4bf83e5555cdae3ff0b19661b65306226acc8a5c31cb2be48beab8285fe768f22bbd85186565a06a769a133f2a96c88d9962f9438a902070b89559812ef36

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
3554d30cff73d02c0ccba1ad1267562d

SHA1
04b17565b49df83bc98133990cc329c2f8c83633

SHA256
f6407d11ec29c9689a291bb5271ef9255ff2dbf5052346090edca59f35f997ed

SHA512
d7b30a351137d5fb0d4ed719cd2f70e7b88cce0d9961f24e1185878489c994ee53f33d207d2786cf340a54e6ba034bd4f5afbf8d3a4138bbafa9a93e4e99391c

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
f0d4721b26538f74a6cdda8ed81934e2

SHA1
d88061b0c6b2156be835213cafff1af3079caae2

SHA256
9bd59e93af37143c5f7d2a06cc012f6bf9486c55372d23736ca2cea68ab9346f

SHA512
a230086b3311944f251881e938614e66fa6603fed3869d06439f22b47e1717fcd9af554dbd89711ee413e80ba804ef8855b7dd4284698255578ec3a2e83149e4

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
2eedfc666487af03a67ff2bb5ab2e014

SHA1
018faa3a8ede92c490d457a8bab293f205988913

SHA256
b374e80ce55b3aa334c674434637365306d26b86e8ba450d1c47c5daefbf9c40

SHA512
ffc733fe2606099a0a97c5ec045fa0cba197ccbb765d7853fa479557e63b6d7de85452c3b1ed54d58ad7da8cb590972db1502c1ab548993d8b68e5d25934bc0c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0b6fa26e93e965d1646669347ff421e6

SHA1
8308c88a8b8f11a15c54f4d600bb4e36d8e2f177

SHA256
96a21b71f2422bd747444bf2aef6abe65f2a5e6b8ad375b2f490488a2f638b21

SHA512
8484c4090efcc86bc4b7a06f31d30126babbd0b8c1c1eae438993bd872ee7d8c51ad18134b9fda9d62f14acb8e197193d76bdab443ed6c33664dee30f1d125bc

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
aee58dd90360238171a405d83a353df8

SHA1
fe9e0921c481fe53f170b460c928a1ead3ee5c9e

SHA256
afc09a0b37301e8eba1d663963383e5e9881d0a11c06675e011b73913d4ece97

SHA512
592f3ce967d252d0660da82c80dd24a8336513ba1c09cf8bce9bc9cd3f17961dfb44fdcc63c8c8e7e475fb3c7d24f61446f7deea6960ff5d120a46e01d4f6089

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
973c2da4285cebb6962fc1955abe06c3

SHA1
786c9b7a9afc38434136fc68dae491967c5c488e

SHA256
adc94ad82600b439e14012f1fe8a8b28bf322f7e83ee9b28a0bd40eb1f488eaa

SHA512
67c9639bea2009111b741cfeeee469416e6336d7bd6fa67e35ff17959156724dc5574ae4438bb033fc4e6a2396d651f4c3a7269f047936d024b7791ffd4a034f

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
761d47c7793a3314dca614867f4078b4

SHA1
426c18abf61c14676d21e54f7a129c24c1f65e2c

SHA256
6b7de7983af36a2de97056bbfbe100effdced1098d38cc2281caaefe346d1890

SHA512
43304ee193f1cefcb11d6b2ba6127727bee75a438f3571fb00e738b0d9158b6215e6ed0a7a4bb5c9968441fb6f2df79fcfc1bf043cc5d0c864856cb811bda37c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
5d1919a63f62a15b8dfdf44052259b7a

SHA1
3e68f45a4106bbe9c0c43a93f3caf955678a0a8e

SHA256
4fe7a07d662f96ae1ba548fd224fb43e5c91a0fdcbfe381dc6f045e985a1dd9c

SHA512
142eda9c5352685b618f883f8d7ae80dc78ec4dacd3705bd82d9bac53ffe8fb283f4251976c4de86b00673fe67b0fca2e17a9fee5ba8e5a4f281069523d53cfb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
ff8e48fc610017c88f6ba13249f81a11

SHA1
85caf0efc67f92c1e17d63613f04acce5449b00a

SHA256
56a2712e7c09e41c5f5a636c02243e2df7146e9a90a1776d2b067b19ea732e9c

SHA512
8ea62372f18e117770eeacd053b8a21079b001b4c8a216a8631273bb02b4e77504bbc652c41740b5d264d81a849230eb7bce38d60806cd1751e0fb81a25704d6

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
81ab516d58c4e7e899539ecb736a611f

SHA1
f1c39ac4bd6c6e8248d373aa7e8a124fe8be1d9c

SHA256
1d83c7e601c2bad6506033ded8a92d32340217d04ccc85dd852475cf728a2f7d

SHA512
b2f9cbfa56de1053c6898f437ba5e58a2537bcf3eb48a3247b0933b95670058e11292c1b00011d7a0042aca33868905d4e955632fa637d602647a3dd63d5f551

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
5b0af031f47b6b07975766637c1427c8

SHA1
3d798b3011256775d8b64a7916e70098ef3c503f

SHA256
a7f3818667fc98ebf65a58eb23e770ffff5737b4d488c1dd4648e15a5444abc9

SHA512
eff477d8074132469788aa9fc27cb3fd1c4add1a89d04329122b5478448a6c64c7163de8a5b9efedb93cd05f4baa816680968a4da84d883910969e97d4c10004

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
8ae39e737f2261efa6fb4b4851d81586

SHA1
d89870a62e814b44dba36082bb90f19a5c7de502

SHA256
911c4274ee4d458ee4b39f2fbe0f8f6868110c7a82df4057a7da5f41ff86e0b5

SHA512
2d1d474b2058c6f3302a1952d2fe54d032e1693a2683b9648a8b0874ae8a0d8655bb04f9faac4e082ba2bc4e5d93f73f90b9ac139fc64ed7e3dc02aa5f3944f2

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
b3d127d22019ad5b40b7a97e64cb8876

SHA1
ebb21fd43f47435897405cd26bdd4447f3b90f04

SHA256
581a54db5ccd67e7cfe74f8ef05fce5ad6352944d22f1820a12d304cd1586be5

SHA512
8996efff9c033cd7f4a5458fc202c2075bf399ab5447fd0e5a310d7cb9cf932d185091e7bbfa470bfea54b8660152d5414b963c9734c049412222fbc794ade0e

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
886ae622b48e0850f361f9620e2c89a7

SHA1
37a874ff0415603c4ad97925e9062cc9a2dc9dfc

SHA256
f6468b0c2357c6c641a7fb279e24431c19608137862834321bf4c0a1ca442d0c

SHA512
2fccacb3ca7dffac7a7dae4fdbe2d574c6991a0c042d8c4dde3d052c3d333eaf60cd32b28f390c51aaa2aded7038d3821d1259a247f033426144025c0e962fc3

Download Submit
memory/772-6-0x0000000003D90000-0x0000000003DF7000-memory.dmp

Filesize
412KB

Download
memory/772-7-0x0000000003D90000-0x0000000003DF7000-memory.dmp

Filesize
412KB

Download
memory/772-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/772-1-0x0000000003D90000-0x0000000003DF7000-memory.dmp

Filesize
412KB

Download
memory/772-86-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1336-229-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1336-100-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1344-245-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1344-126-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/1400-364-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1400-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1652-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1652-35-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1652-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1680-195-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1680-412-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1768-233-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1768-121-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1848-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1848-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1848-114-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1848-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1928-170-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1928-57-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1928-51-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1928-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2052-456-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2052-266-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2088-136-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2088-263-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2152-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2152-82-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2152-85-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/2152-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/2556-446-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2556-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2612-360-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2612-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2612-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2672-461-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2672-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3316-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3316-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3452-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3452-444-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3632-388-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3632-192-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3688-167-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3688-334-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4000-89-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4000-206-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4000-88-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4372-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4372-39-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4372-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/4372-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4372-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4376-441-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4376-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4772-62-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4772-183-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4772-68-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4772-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download