4899326608d5411a7fa17b98e369c87c1bf21a0852a64a94d14180919f058f13

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
Size

24.3MB
MD5

846030886594473c787044b6204319aa
SHA1

2b53055944314edca47ca57d17ba36819c11ac5d
SHA256

4899326608d5411a7fa17b98e369c87c1bf21a0852a64a94d14180919f058f13
SHA512

d5b229be19facc8918c204e276c6f3984570c66d028d941f2a3cd1756b21958f0cd5f10644f119deb4928c70fee5bd77b7f8dc4a29642ac25444fa420bf7837a
SSDEEP

196608:GP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018zlqmX:GPboGX8a/jWWu3cI2D/cWcls1qI

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5008	alg.exe
2772	DiagnosticsHub.StandardCollector.Service.exe
4660	fxssvc.exe
1384	elevation_service.exe
208	elevation_service.exe
4844	maintenanceservice.exe
1588	msdtc.exe
2168	OSE.EXE
5116	PerceptionSimulationService.exe
1836	perfhost.exe
4552	locator.exe
3920	SensorDataService.exe
384	snmptrap.exe
5076	spectrum.exe
4648	ssh-agent.exe
3548	TieringEngineService.exe
4660	AgentService.exe
4324	vds.exe
2872	vssvc.exe
944	wbengine.exe
2408	WmiApSrv.exe
3336	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3080d043c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaw.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a23ebd582eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d2bc9582eb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f03c2582eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000556402592eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fdf225a2eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dd817592eb3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c14f0e592eb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e0badd592eb3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4660	fxssvc.exe
Token: SeRestorePrivilege	3548	TieringEngineService.exe
Token: SeManageVolumePrivilege	3548	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4660	AgentService.exe
Token: SeBackupPrivilege	2872	vssvc.exe
Token: SeRestorePrivilege	2872	vssvc.exe
Token: SeAuditPrivilege	2872	vssvc.exe
Token: SeBackupPrivilege	944	wbengine.exe
Token: SeRestorePrivilege	944	wbengine.exe
Token: SeSecurityPrivilege	944	wbengine.exe
Token: 33	3336	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3336	SearchIndexer.exe
Token: SeDebugPrivilege	5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5056	2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5008	alg.exe
Token: SeDebugPrivilege	5008	alg.exe
Token: SeDebugPrivilege	5008	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 1616	3336	SearchIndexer.exe	112
PID 3336 wrote to memory of 1616	3336	SearchIndexer.exe	112
PID 3336 wrote to memory of 488	3336	SearchIndexer.exe	113
PID 3336 wrote to memory of 488	3336	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_846030886594473c787044b6204319aa_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3604

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:208

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1588

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2168

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3920

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5076

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3936

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1616
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e0ea53c2b1c7e48bceecd128b03d7b69

SHA1
1fda9b8baec0cffc5edbb4ffceee9322b888772b

SHA256
df3ba4bc1c71721bd09e9b3a5b4e3154ce5cb93cf7c27f7277c7a0ef94cebd7d

SHA512
a0dae40fcf93b409fcc295fed56ff054196881ff01505cf8cf7e2e1e23275be6c94a79bdf889cbbd68e338bef2f118180420c1f41f5dfe190be2abe319f23132

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0f0efcf734acdf3f9d9b39e26a14564f

SHA1
b339c272d605968c80b50d61e2b641e17a0037b8

SHA256
f3b2e9ef3571a1b626dd97f0356454fb3bc8adeb599e95be4523c3ce4952df05

SHA512
5c46bd29e289a44e1e16c081d19ea13cc07068c5360af8926960ee026fb8b4045ce21a0fb9a750195b7af9ece904dcded10088937f70bb2a62bba09c64fe53a4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
fe80c112a9da20969bff40dbb3976553

SHA1
50e9eba97d1d178fd25c9cbc0f1d8c3224809cce

SHA256
7396f8f001bc0acf4e2a42bb4e4402098b88bca5b42330b2091476c1d7854588

SHA512
690f203bbf1481996ee44133a2bfed17f1cc6c3e12b5af624236ffc6e2822a1a25e7d982f1d04f374d6fcecff03c737db7a6fdf6504b9a266ea990ae651b7d21

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8b2e73e3489d1bf4ba92798127706ff6

SHA1
45ea951b88f1ff042134d6a3ef30e433e7aa6284

SHA256
8081d0caf08befd2e5d2e0b6dcc95bc65a7b0db2f16c39b5cb5d232cba86410b

SHA512
241b8cdb366be007aa7129c320e0894e34a143b049b8725bebda1afaf44fcfc36f16a326e3f3c70931630dde9337d97ef91154a266f1061889f7d2cfa4782a73

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
99459499e778cdc5fa594f3bb32455d7

SHA1
71e9c736266f4e0598e2b2590845badbd46b937f

SHA256
6da500a8c14d4a3eb60b1006dd2656d8cecabaaacdc1836cadd9921ed3fc69b3

SHA512
faa73f66afd90e31f6277733a9d3a0ad50fb953c6f8165abdd83c0d73674a1721642afa145668afd334acde18bde733528fed347cdf856e1d29a0c4fe511ae42

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
a07b77364c4ac4c9fddf3facbe616c99

SHA1
0839c8d6e091fec11377d33a949dfb78caf0d6b3

SHA256
5eb89044279daa4a43c9f710883540bf2282e9893041e7fb8e88c34ba8d6cf81

SHA512
91e2b21ae86bf83ee0d1fa07a24f41e5228c43a305c6f86966d6df0d717067504c54013b81e52b19a8318d0b6ac58c9a203306b1e5a440c15c87955097c0be88

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
5e39c62ff9f95f1f2183c5c18c30fdf1

SHA1
03cae25671f57796d26256af59ce0dfa8dcd5c06

SHA256
83dcbadaece70d31b3e6acd6415957fdf2c50cd26e1566feeda06d261b2140c1

SHA512
6f59c6844717adf64ab39db8e1c2bf11f2b445206754dd1d336188f7e68c5629489dcc614938f192beb15fe24713752ee95f6be53efcf6e4f67018c51e63eb8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a48eaedc29329070482632d9ba456e8a

SHA1
db2defc5a6908d73c70d174814edefba80e7b074

SHA256
e3efd02714ffe1be864b2072c527cfd73a02efec66342a18c9dc6a77a0933a31

SHA512
df34f866ed43cb71a490d4f76c498f863261c81e5a57bd4184fb295df134d6aa901a1c6799f0b97407dd7383e310ed904a49a09ab8cd2250bf628752a392cb8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
bf7df7a118965889e8d55bb76f95cfdd

SHA1
b95cd245608454b61a7b976d19244d60b9745a59

SHA256
999cb504486ea42cecf7bbdabb1c15689a8271deecee03d64fad547160cdce69

SHA512
fb914fe1ef21f821db461109662b96326f06c86068ad6cf9f13db85f70f87e39a180f90c384f969b0dd83a2f9777ff4681a67f9482046abc746c05eefac139e9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fcf22e767ee1785d686f8b940a5ba272

SHA1
61a7a670c19f834995b2c3c563b2796efc39baac

SHA256
a3478f4d02acf6510407fef366caac2974fad1cff38fd9e75e4aa45295b047cf

SHA512
cc0a907a2b15bbe051eb98c36812e571d71228b197a40251e505bf93d183ce7a4d9d23feac959394d501e9414e826272903d0d75664141c91e566e54e8601f5f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9db7f6451a8777d24d6a6edfc60eae6e

SHA1
30f75cc4a59368a2766ed53c68350bec7f58da26

SHA256
134a3c04635c97e9e5de4bc0d5ca226db68f277345ca3125433f9a8769d64465

SHA512
74d75caf1e0c24b47a8d666a193ed6141c74f0cfa46619eadfda6aeec7b5465fe0dff6cb0f4711aaab4ea07053988e3b45f5fc576b52a7f1bfe2cd6d94161871

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
65fd4fc5d78883d6bb67bf94ca6a17db

SHA1
5128d7fbb758a0af48244f3860e83996ed5eec40

SHA256
5f1a9f455718c6bb96cd5a6a571bce2f558cda01c5185e636e111908d06e8281

SHA512
25e28b32570e77cef2e9f198c1e15b5de4575301f7935338c06ec18b7703c43da42f90fe2740585d964a8ead9ece4764143ff5dc4c5615e37bccfbfc9ddef3e2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c4e734248634c47211d0c9bf3b2285c1

SHA1
55b24f1e020d3446e4eeb310455e9a2639899cda

SHA256
235cc2575953c9ce982fc818c9c553af17342ab898636fbd5d15c65ad3fc4ac3

SHA512
a5bbe663782e2b33c2c790f1232168df5a59b744516dfc1e5411457f9ad4b7bce3650a28f1b379c5da16194ef0120115af7f002379ae0669c8bb7ddabab01535

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
0bebefbbde3c16217cb1cd89538a82db

SHA1
9d501844ed3907506e7363f597ce3b3849ee167d

SHA256
25fa6621bc552f361177174028679d3f79cf858b3c9adce32b8f15edfb45fd4c

SHA512
cfd4a854575930f1effc7152e2a166998078a711aab209126733b6d9fc456173bac27d37768f3718489c92bf07659292c38f9866b7603a8de5dc385ec4b0a653

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
303d6ac87536ea227d0b2675f91a41c8

SHA1
3af1aa44800ec64b9608730ecee5440c4d676b82

SHA256
bc01d0e727aca0ef6de65b66dc66acceeaa83d982aee8560515ae2c678203f96

SHA512
36be47eb83c6cd8cc962d92f12fbf6cbddb3833bbf2d298b0ac309235ddffd2c2084e249440e35699e4e9d1793b78d4d856d19ba209e3b3f320ab49be62588cd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
14a8dad51671baabadbc2ec3c9e18331

SHA1
23b6c9bfe8ac84a7f2a5091e36b2e9ecd8fe8555

SHA256
eb7c00db32631d9c282b8ffcb2a41eb11f3ce63fae0d40bc53058285a0c2d396

SHA512
e64ef38412ce3509c65843943d2b956c028e4de779196a265fa21d98d9b776a9e614612729d9cdc56ec979b126354227d58bed0a07a1283bc49f8bdf201e61b7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
7d2c1425ed0231422fa39ead4fa2ae79

SHA1
22459e4ee2b61ddbde23d65b0d071bf65e358bbc

SHA256
c53822668f75d5be891ee5c593e07a83eb2870c13a15ac1d0efa723163c411fc

SHA512
ba07267abd1e1b417be8fd70339498c02199b99df5f997e5482c8413ec2402a95bc034fd6d0cb212ec15527caf9c35b5ca81d26576c4b1b719e11e3beb1d4b85

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3a0d31281011e4ca6ed8d0cc53a2158f

SHA1
66ce2bc245703ed8f5ea56efe3516a57fd487568

SHA256
b037cd84045575c2d9fab87e75a0fe840df38f2b4bd89c1de8ad99ed553252e1

SHA512
078706ec22ec3ade5cfe5bd5e6566e962470872f0bed2d5df4cdf14d10b9dd0ae69cc6353256798913424f8d99244fd33f19121763599ff1d63b800fb0d6ab37

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c9b5df333d285aade51fd70bb8126d06

SHA1
b1d35f8223a594356acc7a9059dd10a75ea9e739

SHA256
22e34268784d30d4f367d68e944d96af63f0718bd3d0fd7f3c87234de6f7b28b

SHA512
0af4672aff27a7fba6ddb20998122026dd6492bb204b30d13ed76e51c7273f3ec1ac20de32bfc570ecb9034668e7885d0038e8698e1902691710d2291d180491

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
2cb7651dc049e3bd468674b2c7c2509b

SHA1
972959fcd69e0e7199e1fb638d799a9349f889ee

SHA256
4da52804be78978be3d67dccd3c6e9b71612209ee77f8f28ce6827472c4f7f30

SHA512
076ed841c667998f0c24585ff6a795dc70537e12cf711f21a0a58c8fde13530d32c92fbdacb28b05cbac7bb3c22c7e2d68f813dc8c6e55d710ab340339b443d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c3290208d64bf8e9e9d4e28212879212

SHA1
450dfb7cc0cb463339cc9bffe83955591a7e116c

SHA256
f8dcb80a9547b321f0cd164428d3ea7fba49d61af07bc6f635176279656c12ab

SHA512
3012c5ca367dd9cc427bde4f90f491cd2f2ba014801bf38db71eec7ede9025a1811096db7c4d2d2705d7733ea8f1208a57a1d177778965246a5b85233f3a4090

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d47e730fe39b35d388a3e7c5fa3496cf

SHA1
8593f5b4be24a3a793a7ee1f534811d849ee13a3

SHA256
c8cb9ecdb78d8857d097a830775a39c032a2b4c3093c6718e3f4a1608d151e9c

SHA512
d05c70584aafbf40dd07411d3de1169df61fdbacb728fca96386d413b4fa945a44fa87a5a31e0c019dd6b633ade2b2a37c27e1ea3347bf70f0e6b34e31c84d94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d59a04ddc4af604e4c942c97839060e6

SHA1
3daabec80ab48d231ef49df9a1e0b5380cb0cbd1

SHA256
2c63f7e6ae8244cea4dde8d2d8ec10ce24baccef03a1d0440231466e8f874530

SHA512
9df982cde69b9e73f410bb3d26942367b5bceee6f31263b37d356e0185fd45dbd700d403b7049e26e2e38c188eaddcf71d156c3d28ccc2e839c561c83904faeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1afecdcbee56e5e2030eff6538582736

SHA1
99594acede4324647e54460a65e87bbbd89d584a

SHA256
6e0484067f559c635a305c62276b8c9610894a4f768380b3277eb3440ee6edc8

SHA512
857d6ed5b574535a5ce2ae5dc1344bfbea5221e4c37f1c828c2644952eda609d035b1d070d0257095993338e4fa466a9db40bf94b6c0aa75f1d7900f7c0cd282

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1a0341093df73628f5ff2525d1d636d7

SHA1
b491c91ae45298678e1b54e01973f9b5a4e0967d

SHA256
453807909e275d647e6eacedd612d291136214380b6e150d717e6fc50a76f0cb

SHA512
a5f7f6ee68c759fa84edebfde2277c456d8c66f29681bf4755c4d1711244e7aa463dcca8ad1a94fffd8a70ee15afa72b26e8c695e1a5e5b35a70eda87d67a106

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
b00c40acbdd614e35aada186c9ffdcff

SHA1
f18cc6b22073e2e2848153e04006676ae5008630

SHA256
81e83214427b7c8dee946f8e8dca4fb1627b53bdeff5909de471b058a077e304

SHA512
6b1975bb4937231ec587779b6cc926b12910a0be4671a6479bb233602692a88aa1b00bee491b456a37b36552d8d9d9788bd8194d7158a314fff5a45fd71cd948

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d20e623ada3176a49ee68093fecaa39e

SHA1
ba315a81c3d8dc7fcb73cfefd8db20b2e0c4039c

SHA256
7be9d6eba31665483542550a429bdb56adfa9e1ba0ecd3592452c8315b0fc3ae

SHA512
d360d1a9ba1495700d6500dc3802bdff158c176ae2c0efde9c25b687cb0d0a00a61b15083f49740d7a7a6e68ffa4bfb98f993a048c6bf2e7f7afa30d489b2b78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2f682e5da2dda27854e01c0853a21b46

SHA1
1d2cd2e7d20b44270613430c3049c5188787b6dd

SHA256
7c6a354bb07cb5714508cf5667630d2b870d60dbe512fb90ca5f0ef12ea321b7

SHA512
0030786d330b7cb8ec721f60af03a29fe8b57e41e06283e525e1c0f9787aba7687fb5c5936fe2b898345e56b7ba05cc10bc1651a8b85afb78ac9a1b8e183f9f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
cd3e147a5f0dab14bdf8180247057894

SHA1
83853bc3fe00431687c9a9dbb08668a53f3db010

SHA256
ccb1401346b03140e4b9c601eba63a85e14e8dc0467297ac7cdf275893737905

SHA512
7491280c7d6b266c688233f3930375fbdced8cb622e4bb1bfac4dab77fc3043f98a222be9ecfae1b7b8e7f91974781cdfe6a8b29c4a55e6dddd883ec321e82df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
781b4ca5940dbeb806160ce9cb64b792

SHA1
ba0181fc9b77ae44c079351d65ef09d15edcb268

SHA256
2ceb33c61624e6728355ce6bcd6ed22f6efe427929c25978cd9751f932590523

SHA512
ecc00af5ff39414890d32acacac3f07406725e80aa6b611530848a516505ac8e90eb4b5fe74e84d10fede739e9ea4726d84a6a5ce63f28d38695583b559e84c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
002c9881bb4a70973df0a10644eec540

SHA1
97e1f5485ac437ef2aa3dfe6073c950732d633f4

SHA256
428d12da3714a010c784ea00e4602bcfb6dcb0e912b43014ba907243828ddd58

SHA512
52bb5cc61e28ed801153c6ad7dbc54900bcd7659557bc45e54ae794b7f9a9e651cfeb8906608e3a91a2ff7ac5d0dd767cf02825d0b4fdcf5a95d272379af98c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
bfd0fb09512c49480f21a742f90a1ead

SHA1
9eb7a0bfbf57ab304a610c390b281882daad9a4d

SHA256
e7a409caa61eebb6a218d0a370e0431176ddbef2394b9bb33d901840183a3f63

SHA512
0c13b7393a6c3561f6f8875a2359766b373f9e991e83aa6bcf3b124806b15217bf5f5aec712cca1c34cc2a01e115554f0e8cec1475f8c4722b911e5f7a7fd974

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ba10fc3ec9a4a18e67ab3e3a14475628

SHA1
80ec8e275a4418ff33e7ade4fbac4603644d208b

SHA256
db638daa8cb244f9c210d7914e474c8a8280eb0f0fbcc92f959584969f7f21ba

SHA512
339b76ec6d5775d90d18c9f076547743792be57926c850b246c309eb123f686adc4d01e9227a29096305ea905a2873bc7959ccadaa0fc31d3591eb6c87cd7253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4829630896bf5c43724451a7a8f7fe80

SHA1
1187eb2300bcd824223959df64f278d54c223d6f

SHA256
3e4cedc293ae259f8de90ebae47f07d2cc5c924bc9673c37a84b162fe753bfec

SHA512
7a31a2c1254e0ecdd2973d21df830a1489aafb4cdd5746bd4850ca44d11e90d45e333c0f0db868ada7e245b56e6185785ceabed8b7c6c64b793be7cd4ed741e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
eb539147a10a1633969eb0fbea6d0866

SHA1
8fb8b7015871337681036159fd4a3e5d3747f7fa

SHA256
9059a0632f67b7194d78f6c345daa47b8a53eb2be35fd7f838e15fb2df3588f9

SHA512
9988274ae0ee071a8f2e6b9eb5e680adb6b17cfefe308582d4db65050311b36996f3506e5536b1b1e2efd75e29a47f48430b1a0bf8398ef2b910247e610af227

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c02ff214b3c8b53c8fc8a28e44d3cb17

SHA1
ff4280cb1e980149cb5c1b2dcf514cd039111605

SHA256
b9271b5067da984ff4d79fe9e9f906fa333545b00a25689618fac6cd1ebc9a9b

SHA512
27c6b210b0f06e926e83be3a3fca47194a67e076975fc50294636d1614672bd7618a5418f573bdeb8e3887b655d6e6c5bdc4266f2dd4eb2e951564324ad3513e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e0c346f75d9f8a31348813a27a7bdd45

SHA1
aa05f0dda6136d1141af2222556b5742e74335a2

SHA256
5c47d5f6a2a09dab210278ebac7e59236c19fd9c3aa62a9ad1fce8a9c3284ac3

SHA512
5fc4ab519c9c881cb4b62edae32c366cf348175432908678f114b286d3790fa4426e093d0526e3591b1ef766cd09bcca0390888865ac2512004ebcd5dc3b4153

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2d27238e10dba832159bb911a8555d58

SHA1
7c5c3b3dd2f159e8ca180f9e316898340061fbc9

SHA256
1db959a826a71f1cffc110f289db1f1e3e2ba5cca4cb68c8e22e340ae1bc6625

SHA512
fb6e7dabdf4e6b0a92062901defd4c8cf68b213fd65a3152abbb6ed372f643643296458b26a167be326e19955b8bdf50b3f7e21d92ad0583b7440c9ed83cc1d1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0257bac591e68d48d21efa3756542606

SHA1
d0ea966921b8f261ab4855604f9fef58fb34d3fd

SHA256
920b6f31cab0c12f877056210b20fe2fade9c96ceeff150539a4d8b4cb8d0167

SHA512
7491cd2159f2dfb45aacd3d4d6796099c74e497524f192808daaa6f0baf21f82c65d03785d204e96759fda2199ae6a60c3228f24391873068e16fea66b75bf34

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2ac922f71ed62065edef197ccc744451

SHA1
31b2a472840d412fcd0e9dc1fe7b51020a8d03a0

SHA256
f306a58b48502f25f020dcc7b119e172814654fe97b8f4b205dbe9cb3d9fa862

SHA512
631b8a9cdb9c89b2c668e9e0d83b0df0c6b70a82592aaffcd04de7bbc2188bf6446e9f0c92807c56bc19e478e44a8b8109d693c86110ba2474269a1249f1c120

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
09e66cd202abb0931d3740cabe14ac12

SHA1
961c4a2d2dd98af4d74992a27e09edc9cdab922b

SHA256
13ab2cd05abf75b060b5c75c0c7207e8adc1677678b45bd87d12117658843346

SHA512
44547d7513487a8e5b59fdbb9ca388fa0ac1d32f47959e5485e066db6c612d7d5a5c4e129c5a3ac6118684dc53392481588a589bfe0b34354a69ea3f624d0dd8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
9d1015f6c39463fe4fcf1b1884d016c2

SHA1
4b2054774314168d0731576c4b39cb47e30d6d06

SHA256
d1261ed7d24365b1bbd3014fef64820618c92f7746096257012baf1c5a4d7782

SHA512
389343486d507a85afb5df8aea6adeefbe02b01e48cb9217ab596c93dfd36352769c192824fb2c9b2b9b75eb429b0267c130374befb79b17b48a80099c981d8d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
7ca206b6c9789546697284e252892b27

SHA1
529ea44ce57554ced41e2a29f0c7dc9455d020a1

SHA256
bb65b1d44e422606395e9aa5ec92a63d4d1ea5947963227e3b64367a98a4f154

SHA512
81ce5fc3ca73f7602d9c6fbed7e2f201ddb1841366ede2e20275118af26888064570cdf171ccf76f1142adc4461040eb6aad0d8007ca4e87216de5f80fd21b0d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6962696221ef73c1f8672026c82632aa

SHA1
583f352446f79ff19ad231012db0e1c5251ee1a2

SHA256
0cfe477bd6b4ef0a0a1e775745b26c30d61922175c3521a33a406c405119b59a

SHA512
7e242e96b55965a82e69425229444666faa734101254ae817e090d5b9e5c22fb0e077cef2ee7c5d324af7d9acab7a5aebeccb182d13812475326184c50e34cf9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bbab33f9c3f1a7ae5902d9872ce7d383

SHA1
446dcea405b4613321c9cdc5dab2b9ec26334518

SHA256
6a9065f7accece97d774d244b41c2e209a8a6356f1c716287f590e3efded3184

SHA512
a1bb70d9409362f01ab6dc78f0a740ea4175cb49917651ba1200a8a776883d075665299861ac42385a29a243b768fc1a79a29051934b82507571a1fa539ee3f8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7b71cfd7f9998788aea4c846d9d7a5b6

SHA1
6bb05c16ccc9c82de94d47dcd8ef83fac5824679

SHA256
aa51a4bc7852392aa0b169a4ce644d71bd0f94a6196242eb80f0f870ed2b3621

SHA512
20d3500cc5fa5507feab4a9ecd2785d66f5188ae27e65244b3d4620066accd7f71f5b68a9c73aaeb779488b13e6ee5def7449a1aa199fe17e0b97a3dd035a793

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b666db34b99af6f660074e948b623eae

SHA1
8243b8efc08c02eecc069618bba58e3ccb3b0713

SHA256
c68ea712aaeaf4b16b509ba4b04d7a7fb777e92265a92652590f9dd0fbb08b12

SHA512
3fc73c79a5975aea4fa6e752ed18fd605fcdcf0e46d374df01e204d9d9faef6c7d04219d0e2ab48a5f3ed6d2845527b8cbf0fb19b0169e12929857600d4639b5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
4268af38e2be6964541ddbd3b4e38cf9

SHA1
e6aa2745fcf7b7192d4c1c90770759b73b81c373

SHA256
4ef5e84d73e79a2e212e0f459fce5df77361bb03b9dbe6b015b4b017a1cc743f

SHA512
47fdd9d7db20ef3dc0c51ddd9171573f6004048d2c5d059f9bf268f3d15db66a2cbe4c634a18d3b0ba707a71a8978b647719821968d4069de231840d178a8841

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1912070d8c1f227b8fcf728e2fb905ea

SHA1
23d3a01e5caf3419ba4d77e532eef50006e78c86

SHA256
c0517d558d325638f7353fa842f88e969560900a4693dd135bf3426cfb8b23bb

SHA512
332d2552a5edb4cece2b1b4b8ec3b72e576d44ba17bc4ca7ad012dcfc4886f594489dadbbaae9cc77154d155cdcf0082349cd312e99babe091c92c5ac3adc691

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
77b9cc0e71131e91cb5a3eb6a502bb44

SHA1
b245fe0d54dc16ed8bde433f13354d6938f2de65

SHA256
885ea7300dcf1cc1e16b9a06853a6ba85dfb2b6dd1b4424d1cda547ede3d9b28

SHA512
c148626e2614c57966a2f60fbe728c615fec907793f4a2ad0674e5170405d5986d524844c563565f228e0b13751ee333c2f6a48f163cdba18b300553e18a1e2f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5e0a8619ad461edac1f2adbcf95ae788

SHA1
8512e8473f5f0ad3c2d0caa67da598c893c94e15

SHA256
0dd7ef375d7308376b52661cbe1e48f2051afb6c8dca00e9e064cae2ad9833b1

SHA512
b16055ad94585524476189a542269ef91e6b22135268e4251031a8192953184d41ed9741ccca1e61edc929f1054d341e0ec5a73fa7805de7dd400d97dbe82fe6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
dd0214b7b92cf084602e2775b4985c29

SHA1
8cd007aec8e95dfee8541ddb495e02a98ac759c5

SHA256
fc9e84bf763d68ad0561026584d86e6b17a64f227e9180111c6bc2dfadf5436f

SHA512
05a04d2cd289370c5a2ab04f5cc7c611834ddb66860c7390ffac41c303dddfe4e2c0a702e1a8e31c1d9984cf26b410f13ce1dd4b324f20bded4c06178031862d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2ae8aa53313199760594966eea8bdb80

SHA1
17627fd84b57c20c475e5836de63043990287282

SHA256
3ac022c112f5d4558f22048a5278cccdeb35923da67552e4fccd9a8ab46d5eb5

SHA512
e4416d0e6daa1c73797d176be4c39872c60e6f8459542da16aea3b8873909dd77da82adb856d71cd7a3fbc895c25d182c30c43e708f2b44c15b09ae1595a246a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
bc3b0eabb487afbdd5d13b2852d8043b

SHA1
dea22432e843813135db9dbfd80c6f7f411e583d

SHA256
c6785654f1c25a4a43b68d9d35e32fe3bc63ac542e0fe7890d5ba21aad8a9095

SHA512
861658b3afa3fb73b866d1cadedf45161fa6037f92af72e078584288fb70893e989bac8a9075cfa61ad64ccad25ff1a3d0a9e7ee40ba6f897dda01557d600fc7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b94b8fd710ffec5f7008b398a13e3fb4

SHA1
a1ec26acc648b2363d26d96a0940dfaf9a4eec5d

SHA256
8b2a45a19c3870e77c276bd58ee3cc34fb9103ff51fd11a4930ee6887330978d

SHA512
ba8b503dd6c988ac822216f01d394051a3fb293ec4f834e361f19c43d157f7a1aa4a7b239078e2b2af81dca38fc14ac2465484b6169c37e3c4b53947bd8d3a86

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
705565a3cd8bdb57fd461e7fe0b60472

SHA1
a23e724d1c1c66ed0cc3720b6fbf55985bdee265

SHA256
e518f854f4c8fe56460f630ca4a1e17934a3eec004c73450d514854fed34185f

SHA512
a873a5d9fa93fbbc9f62ac8ac503c4b2cd14b6bc784e03579cea84d68ee10b4dfef82b19f741dea059136d14b08b5dccced00eca91af44c3bc7cec89943ab51f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
47a16abb02ffb3aa598790d65d41b309

SHA1
929d38c5ff3a6789f5338f451282e26e92dc7c45

SHA256
965dd94e2bdd7a0c39127d43f24bfce9feaec6ae59cc9e81b1427f0a7ec22f18

SHA512
cf44b68d1621d4c0399c078684aa88f13590620548d2ec28858c4ee7bac3f4bd66a1b942dd421bbf1f57931db831e4b07a404e4055713f546039cbeaa735a17d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0bef96fc8aa432490fdde400284fa693

SHA1
41f54943d2ac47a9807ef1d5ee72094512306f0f

SHA256
c1ac9351befd321dad2b46a2a5b15315f9c98c9ef51bf350a447676f7439ddbd

SHA512
e7bc55313165f8203b9d4fd9a806c13cfc9debcaeb4c9c6136bcfc6aee9938719fc683dc6de5a5869edbcb4ca877f369146c8c95cbaaa70a8345cdccd3742304

Download Submit
memory/208-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/208-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/208-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/208-580-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/384-293-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/944-299-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1384-52-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1384-60-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1384-58-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1384-577-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1588-88-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1588-302-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1836-258-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2168-256-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2408-581-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2408-300-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2772-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2772-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2772-31-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2872-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3336-582-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3336-301-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3548-296-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3920-457-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3920-260-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-297-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4552-259-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4648-295-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4660-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4660-48-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4660-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4660-46-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4660-197-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4660-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4844-83-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4844-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4844-74-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4844-80-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/5008-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5008-458-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5008-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5008-10-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5056-309-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5056-33-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5056-5-0x0000000003C10000-0x0000000003C77000-memory.dmp

Filesize
412KB

Download
memory/5056-16-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/5056-0-0x0000000003C10000-0x0000000003C77000-memory.dmp

Filesize
412KB

Download
memory/5076-294-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5116-257-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download