3f7feb3eb240cd6c0ddd607584b3cad71c88c1432a693860cf9ee4bddee06ac3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
Size

24.3MB
MD5

db599531ac75bc933ca182903c41693a
SHA1

514fce0e3d1f995de255c531c9df6c1cc31764b6
SHA256

3f7feb3eb240cd6c0ddd607584b3cad71c88c1432a693860cf9ee4bddee06ac3
SHA512

80b4b34805cb155c55453ea528428cd1fd781a94427d522f83a6f140709f3b53ae7180e66b343fddf03e18708617746400fda5a971eb3a32c128bb0b2d544d4d
SSDEEP

196608:vP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018KIoQ:vPboGX8a/jWWu3cI2D/cWcls1V/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3172	alg.exe
3092	DiagnosticsHub.StandardCollector.Service.exe
5064	fxssvc.exe
4888	elevation_service.exe
5068	elevation_service.exe
4624	maintenanceservice.exe
3504	msdtc.exe
3796	OSE.EXE
4944	PerceptionSimulationService.exe
3048	perfhost.exe
4440	locator.exe
3728	SensorDataService.exe
4224	snmptrap.exe
4664	spectrum.exe
4472	ssh-agent.exe
3168	TieringEngineService.exe
2000	AgentService.exe
4728	vds.exe
1828	vssvc.exe
1080	wbengine.exe
4204	WmiApSrv.exe
2020	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\640c722ec3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bbedf0f2ab5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009534b0d2ab5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a38980f2ab5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000930ba20c2ab5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006891ae0e2ab5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f87c140d2ab5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005228470f2ab5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ea2590d2ab5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4c2820f2ab5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e84c50f2ab5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000008a490f2ab5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c22e060d2ab5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	5064	fxssvc.exe
Token: SeRestorePrivilege	3168	TieringEngineService.exe
Token: SeManageVolumePrivilege	3168	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2000	AgentService.exe
Token: SeBackupPrivilege	1828	vssvc.exe
Token: SeRestorePrivilege	1828	vssvc.exe
Token: SeAuditPrivilege	1828	vssvc.exe
Token: SeBackupPrivilege	1080	wbengine.exe
Token: SeRestorePrivilege	1080	wbengine.exe
Token: SeSecurityPrivilege	1080	wbengine.exe
Token: 33	2020	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2020	SearchIndexer.exe
Token: SeDebugPrivilege	4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4408	2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	3172	alg.exe
Token: SeDebugPrivilege	3172	alg.exe
Token: SeDebugPrivilege	3172	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 4812	2020	SearchIndexer.exe	113
PID 2020 wrote to memory of 4812	2020	SearchIndexer.exe	113
PID 2020 wrote to memory of 4856	2020	SearchIndexer.exe	116
PID 2020 wrote to memory of 4856	2020	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_db599531ac75bc933ca182903c41693a_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2996

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3728

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4664

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4812
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1ec0498b0b2a71cce1663e07ebf912e3

SHA1
a8b4e90e767d488d75b6fd4ae68b386ff3c61e78

SHA256
d571f504e5bde83366b0b54e4ce2fbd8117d04c351e26ce04a19f9d85f88a43d

SHA512
3887dbcfa939554aa41006dbc62e4854d7530385d5e9790256c9d1a62e13cdd83e43c388823a3404c5d1d76fd5f255a3aa8ac3e774afebf78ec60b710aa69483

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
09d8b8e5bf322eaca94e6aa6a0a353ce

SHA1
decc7f98c510c55256a205b72a1fc053e87b7f05

SHA256
58b2508e3152434b21f24cad2c36c2c19987a43395b00054fd52dbb2a90b6e7c

SHA512
d6bcadae8ed92dcc405425617d1dba390bf5b2c95f74d621d680b6f58fdd4772e228f6a476d4b7f25560eac67b2a6a1ad836936c5bdf27ad7d1399aac7bc8019

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
00c2da87389c13d8a78269ca9491a5d3

SHA1
9cd6e0c601699b213e2b7f8b733e33c88fd33b76

SHA256
70fa8b292312ca3f4ff30f50bfc232e614e2251af3524f42f243a51ee75a4191

SHA512
96785323172eeefb7e0145289d42bb258ea466e1b0b2e3dc35f44d047e7935ab5317420d571ebf9ab0414bc5b7a4899888e7d24de2fb692f300118dc03434ca9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a81333a0d28b9e8399c88658450a19d8

SHA1
524322f1c94c196a94cd9c1bcbf59d004676e996

SHA256
c58eaadd61e9a748a15cbda7d01a5679b68ebb3fa369f124cb2fe6c356a7f873

SHA512
3e2a745c1dffaf9f4682484090c7be0c4f333e5f47ccf9551e2694c26f533a0b82085baa78a2ea9b560ead8c5f854462f8a0bd3793978756d31802fb6d56d149

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
87b9d58b2d5be2549c36c5f5e62bc2df

SHA1
e79f60a8616a2e8b5396599e9f96825091971d06

SHA256
0e55a92b42be99a7be8fd11bd80a087abbb71545cc9ecb78db202b049b6de856

SHA512
7469f4f512523b86a4a9c797aafacdf1ff7e90c3270262f1f3c75c58cf964a46b8c44c0fe64e068efcc95677834942d095d1fd9da63a0a2643446f372443e3bc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7bd4530b2a38e24588758ec0f52faa09

SHA1
38a53573b13eda7e5d0f8e2ab38158ae822dfebe

SHA256
b3264857c5af9c5fe446d9c7f17afebd1aabb46aa451bdfa70dc27a6f36c97bb

SHA512
f72fa80f6d89d96027807ad41ce28ea0dd164d17336e96381a4e3c475ad191856260cae93264b8b936d6f26ac596d5785bf27c8e9a19c72d9be2c1a4e9fe3b9b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
9839f352bcf7f1b57aecd8be4072d7e3

SHA1
e2fb551fa96215749a98c37f215656168ac406be

SHA256
dda980ef8e0e1c86fd1490f01a32bad0ce7a53caeed2e1f6d49101dfbd84922d

SHA512
381218c01fce33f27c476835c70fd6641c5b2c347d2ef2286e5a402f5ca298f1418fe915a7f74979c4d2abff467457429118ce1826068d2d35ce9b3b27180865

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0d737dbd003df28c63a2bebef7d3c4e4

SHA1
0e2e70f74a8c6fb6d5487a49e02292d88cd36b49

SHA256
6f4a3a08e2f9f7f6f589d47f571c593b7a6c26726405da924505f979cabdd053

SHA512
fe856c12b36fd6d25ea0380b483582af281bdaf1bc97b7a46c7b5b207aa683d205d50ffba1c302526f647b9d1f2b1ddfa7b6743bd220eca3789a361144115e57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
36a6c89a127f212414c4550da9946dab

SHA1
317b6c43abb473347ef9ce05cb00840a930c29d6

SHA256
5de55c1c1f406b21a101005971a1b02b35100bcfc1296661aa8b9bf1bceb87da

SHA512
100a4307ee1cbef31a334057a34d77516a11306ae28128c58bae9998ad1cdafd46b074d38b3991fd9c336ac853482f54d6e3d006ea2142d1cb2931f9f5071a62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3c8656d9054c7c65b6f9e5a3cbbf89d0

SHA1
c6ebb77555219ed78c484f1f84d716db046dd9b9

SHA256
11743272486e0bd882c97450aa3d8024de59c64173213c6732ffea9f93aee41c

SHA512
3385870237a92d5e4cfb7e304b6a37e98d827c46192a03850038ffe3c983756b082bccdf4429ee294285d2820fb2686cd14f78a24c8da461ef192de5966e289a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3cae2f69670eeddeb2cc79db337fcb64

SHA1
ff11342ff006d7023a55bdc0a57bb41d6a0c1f3a

SHA256
09e5965c75ca9ae09e5347689edbb3da7bcf137c9314511190d526e1dd2bc93f

SHA512
fe8831cf4e06469d4d77013e8b1b690b919f2c5c299fc458990b804f2a9c48f6b847d00c6ad5b1ee45e4d972cb21b1337f63bc83df1b768ef6ec106ac2009aba

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
23ca173d7b8986ff92035192ef0c92cc

SHA1
a656716bfca77c47cc10d4b9f95714a1eeefa8f6

SHA256
617bb79e602d1119eb83b069df75d1dc5f176608fdc14bc0a0b4c316500708b0

SHA512
1287dd07f6a146d4ddccc7a23fd150c289fe83aebed5c9f1019da08dbcdbeb19373968dd98a599a6e539a122d8012113479e19068ae2bc3d093c159ba8fd06b4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
f290a36419833057508310d920ed2c6b

SHA1
a0fca9054a8bf80dfb814322bd0103fb6fed16af

SHA256
3b529e513d96260c11fd3a2518e41c6a10be534ec9ee74d74aebdb6d51afe74c

SHA512
e8710335edbac1b8922f73a86e2d9cb508376c3847bf37c982cdc7245474a24e91a5e1c7f8a770d8498ea6c174fef4a5ead75bb54ac434baee3c2a0e7e4aeceb

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
517b1601ffc24613899b558a6d49bc2a

SHA1
9e14f5bf4fa8fa1f5e1719ac4f3c1dd3f2376ecc

SHA256
be08fe1b586403653ea566450df6e162c3a8e49830861afe0948febbc609c8dc

SHA512
2e590fe15dcb4b7a75906339634740f96916de6632c0e9d8e8155b1a838d59b0100f367383224262fb7e4070ce1ea1ea08e11bd900a4fa1920aaeb9a2c6fa086

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bfa7388b2ba8e3f2c7627d46062f3e2d

SHA1
525d192dfc3b974ec40e85b6b07cda86c4930bb6

SHA256
28655030d49c33a994346fad60b224eaf5d9d61f5338f184631fba4221aae9af

SHA512
a9ce7e0ae61cb678592d7fc07e52de69d0de1f3f8ca17821c96f052afc0a51007cebecdf8f207805f5e62d2c2c0e53248311d5b2354397b0070263fe274fb6b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
fcb680471f7b2a379940cf3cfb5e5272

SHA1
8532fde28768f466e51c8709befffde7b78302b7

SHA256
e34a2dc3c0b264cf6258d76595bf95df5e8d5053fc28809d878d6704454c9dc4

SHA512
01a2862aae635cf1cc068487e770820046ea29096d03fd37b4c783fc33e26f36beb07c890b6a681a6cca864d4bff948637a371117a3efc45ecf11022f8172057

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
777c5a4a9e0b6937697ec7842b1130a9

SHA1
a45961bfbee5feddf712b65496d80f268de62244

SHA256
f3b4ab0bb767a050cc0279f56a40a731991d3bf68966a8c83c5b2b7e2d9131fb

SHA512
1ead5ee92a30cb1ccb54f855369535f5f857d4a66d352bd39346355c3a559a10bd143dfdf7ccf031b344d485d01c382e700f97140edd91ccb71f1f853bf269f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
80091454544265d9cd671dbd9658b6b6

SHA1
ffbe134d52ade1717f18acee9141c16c7737ebb8

SHA256
1449da88ae12881435e922f76089c006cd96c50d28002ede884c9ec921230c27

SHA512
49c9ae3db3f999e6d08512135e5a66522f765850728aef6ae6b19488f93a6ac70edbf07c66e683705a57c67ce9ba04179c0c892fd3e0ca652041710852ec3415

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ed082c289e13fabc29724b3155f653d9

SHA1
e47263ba3ed28b53511b27e408c495250756a0f6

SHA256
968e2da9efc460c49698ce02875549e71b0b226b1c163a52c5ae015dbaf8a8b1

SHA512
5082e182f263af48176258be6ee9528b5480e0cb08366a4935e0070359f9429e317cba862d0aa4c8cc48164333fcff5d7c6db156d0c04be58d39158deac2c7ef

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f05e315350e0451579fb89bd0fe677a2

SHA1
3e203acf1ef3eccc7687f0c7b452010e6b7f9959

SHA256
7edd67965ae476cbf6adf3d6f8a72754f3bdce8fcefcfbb2a587f7e8ad1fcdf2

SHA512
4d137360c8a7587546cfb00470343188744c6ad12e121d73a55a00c172f44c857594351a18eff11372d2f65c95b45726f01a96aff3a7ca58d36a005c9f2c64f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
11dbde8f7331be80033ee5942a7bf470

SHA1
ac19ac6a5890f3b6fdb9e3993e4ce5c31e0f293c

SHA256
c77be5abd13a432b4a19c1aa492de999422518eaf1824408efe27a5aed2690a6

SHA512
e424ba714f29669be9d7ad7b5ac38fac1dfeae4600963a822973c6e4cdee22933a87a76528a218c3a259931f8178a4e33bfb79dbf473a3d014fe2de46d733a6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
073fa51c23458d8386f7f5d30f496330

SHA1
85ec81abc4f66ede14750deee47894ff4cce54e6

SHA256
e0931664cdf61941763730892fac4b73da973e3111fca69a36a7658743dbf9cc

SHA512
2aa5fd23604bdc36e7f5d278a3738ff3459cb5eb7d1b117334054da4a9ecc3aff4bc3e19a8413fba85411cbaa2e72e692b4aaeb34d441f3a8ff7d07d98cf1470

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
007d652b1a3f626f3b56c8e68c050c7c

SHA1
19f0c32e0fa610493bca298a957173faa01995ec

SHA256
6564ca0e297e136661c9b74aea6889d4b6df3d0d2543cb4191c58e61c1183e02

SHA512
39de427c36adeafe9f0dd7b1bda7c792fe2f7e58406c65a8a51e1abda3cefac46ca57c0e5577fe93c140bbd1cc81d4414f676dd4fd8ab86c4ff1a3bafcc3d65a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
c842a8630f1e3052c0c9f408bf7d6435

SHA1
9c51e3a0e98897d88c453caaf8281b52e5c0c62d

SHA256
3954935f90a9b412c8fcca28c8fe17313239102485ed1fdd202a1c1a02c0e1c9

SHA512
bea8c2af5906c34bb8f89a56c89139f56e5a52a8b285404b6a14f04a4bc4f1bad66355e6a37d140af9983c50f287d5768b9f4eaa8e5d32ea1150df82a30a8d11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2c2aba38b0679da52b48a03d72bfa13d

SHA1
acf019f77b5a8e358c3a1352fc5d37544635cc34

SHA256
7bcfd996a9578ad7a20bb1be9b74d95de7bc94fac2ee14686bbac0fd2a43f2f1

SHA512
b1c1c416574a37ad631f3ddd7b5809e5bb089ce276bee7576b5bac934d9c3c4d15417493efc22d1b2528550578fb3ff671b6382133bf87d991959164971c3fb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
1c4b3242c82628f2fe42393a8d023d90

SHA1
7e2b5dc6bdd41ddb7cb1c11f9612702e1cf5ecfc

SHA256
75e4db020780d1878d526d89e526017b9f06fec10b1f3e833d7f822a5a2ea05d

SHA512
db6711dc6459f79d5a2277eddfb49bc14d77656284c3cfbffd97cf23f7d98dc6b58b6dae4bb117c5ebf90f5c204b63e4fdbca62ca3e757ed886e5e2d39385553

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
5aa0647a0d5c6f4332be8efe0743247d

SHA1
7a8ef398a83df49211fc2ee48ab188888e285d7a

SHA256
219e946f9ba6c6b240321b6e18f632f96603dab3dea367b985bd6f9da9dbede4

SHA512
4d456bb1bb53934519f9be29ea8abf60af2dc07b3879f58f0bfe6708de3c8bc5e2a0046ff2c7cd79fe60d89e3a8d9d1835da25e5624df74c1d4315de6aaa5ea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
225b8671f5cb895837f3fdb49a3b1e87

SHA1
c5aeb87296101d5faebb2be87f9bc69b33e0c95e

SHA256
4fe3a8c0feebd77274ba76f26aec59819ad269f93471331862aaf6ddae05b97f

SHA512
05ab855e5ac5d7def3cc7006f6c22dca65877457dfba9841e78f04704e54c0e411dcfd96117bd687c3dc5762e7b8b81395c6eef9ec29f2d9143f621b1b82ab95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
b5c086fb50232391af096220d47bdfc4

SHA1
7735016145636e1539b0a2d5ac9297a768c91c52

SHA256
db1ed84fc9980214d01e0ed1b41f4b5d9ecae037375e8e3ca7c24c7c8e8e9a3a

SHA512
e622120eb6c90dae419ccaf1b1951fe67ab22e498acd355cbf1c77e4f40c782924c23fdf2b09898c40117b763f5df21bce4df8bfef2ddfc1c2b9201e3fb15b15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
6a4c3b25e94c349f4934257b796635bd

SHA1
3a2dc7bf74756283b0363062fd021b5708e0b3f8

SHA256
73dcd690c97e6e7627b1f33ffa6229f56a18db326040f5729d7afcd13cecc3de

SHA512
75fdb65387c42656eef6b9f855d7e7bdd23b70a870d5459c0495bc1dbff82a56202b4e3181cab5e8ab579da9633437835efad26810927b69f47c21309aa88857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
48f931caef8208febbef99bc02448ee7

SHA1
2cb173b208a663315ac467b72dddd763b518545e

SHA256
8c58e4825162a7c5f9b70d56b5796e282e3ff7189802cf7ba08bdc9aa507d6f0

SHA512
9ff68067932edaecf8b04bdfa9e29302ac9986f2b138463cc97e607e7c716f1bd0cb7543c3f1b07a41990be75f1bdbb2b267b1a3b6448e8edbf20a0575efda5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
8692f764e565ff4a9f70be25bbf99cf5

SHA1
87ba33045e3aa4f085ca5c448706c777f3e86ef3

SHA256
41758d98ee0b1d4904baa8383662ddd74c46ff3d1ef36af8559c4ea189e42dd3

SHA512
529e34faad2fc0f76633977aed552d85c0eed774fa730ea7eb9f5d4f3cdd1ba759990a1edd6a6337a64bf5c31bda3750a5ebbf80500ed365606d1e215d69dad0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
c7ceeb93c281c4bf717e8414eef2e84f

SHA1
f0dfb3d46c86a8222d124dcd7f018b66ace36036

SHA256
cfb293657301760e7b9d392999fbeab027eb6d8d30dce65f40924a71c3f3388e

SHA512
fa6a61804486ea68eae6d72bb676ea506c728a229b953d73ebd149d36de5d1c836958c28a6e7b50914dc4487a4f3dafe5f2d49ac3b650fe8b8ebef6df825b7c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
6c01e5944addc0daa2ca136587b6f314

SHA1
b1e0bb6bf4ee6e772ad9bfd37b1c0d6faaf301a6

SHA256
0caeddc32dfe59d874e3e5f621eda177af1247dc3163ed13cad919549691d63e

SHA512
8f722cc3140345ca2e96f03946a8cba22d4e02ee72298b405a0b9734788cc61c6ce6047e4bf7f6be6bcc2150bdeb3e2605045bd1cdc9558748441aec471e5cf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
e523d673d2c1c8d06aa8b2497015fd7a

SHA1
035cdee28d3e58a736348fc68a5496b0f0f4b0a8

SHA256
12b55e363010d46e7f70a97da0cc8436f5a4bf87adda1c81d50465e815c72c1a

SHA512
e81368e2b08ea3e3cbb074171215aa9aca403362b377d74f6ede4ec5696df9cd8b4dac62546e5773a8b14dff9355bc35fccf84307da57f8c6644311dc30b3f4e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9ad8162658a8beb696d8f9e3ddddb21b

SHA1
d8bb380c48785802799b9c857d71019badfe9d91

SHA256
60cebcf6bff4981fafba13d070d665bd84e5cf046e737b9290a722b046973e0b

SHA512
3d71eaea267f91d47d25cce8a34f4a9fffa032824ceed01df9d439054d072fb4142ff436cf01947aadac898486f696eaea907335c5e5333adde3aa8e7a7b8110

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
8d609884b2a8d031da2bd70183634c1d

SHA1
29282d905e1cafcaf3c0cd4fc8d9bb30ca8a7fe0

SHA256
12220951b08e09ee88666db8378185c1555e57748f12c98c9c8c20b634a70212

SHA512
1687d53095b9940b2203c0c420ea525f28fab99a2de1fd61e90ee1c39d1254e89271acf904b8a5312748c599553e63d2ffd6b26f1c1dbbe1face7f803f43bda9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1d1cbd70ae39298ebd4292e164547591

SHA1
e213ff66e61a8e6d603168d2cc256ccace8d13fa

SHA256
55cfc6c5510132ca78345a6bd59fb8e7544ea118b1d0462d10fcb1ef39ba9b58

SHA512
7ebfb0558e970ea62310a76b43e14b7141dd7da3b51c72fbfe43b7e9f0a402de690cb4bb3a7c4b71d7f92638c046c7f562aedcaf0be4672e680b7db21d546cd9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8064fd6a5570093cb3bf94df43b1d8cc

SHA1
220fef43dcd223273c48896798d2ae52112ee64c

SHA256
ea3c5ad38660fa2d35b77f17902a144fdcc17be4e9802dc33d63217994be8fb3

SHA512
9707cef7d1e5f4723a05ca95790ddad8d49da8c5775c46eab0d745841fd889464417f55fe765e913ed225988486187b1efed0c94c33879cc57bc55430650a572

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
560e71b1a259ac03ffd2c9c71af87478

SHA1
45cc37434f299b6a3a1aa5c28aada285306d5c0e

SHA256
5a8a72382a0800a637b75a3993df3ba36f747a54863a14f7a91f334f70e1dd07

SHA512
8406ab5446655d887e00adfcb9000f8b12667fb29080191d54fc79fedd81de32c8b2cf500ac677210f912ccf850374307fe52560ce695328ef0d00277a5c9331

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9ab9ff59982f2e7a3cd44083a887fa6e

SHA1
bc245de0640f9bc92f778981b58070b2b282e4b7

SHA256
71c3efdd7d7e30f1da969713d965c36b017f0c9d4ba43c9f1804f4901eb09532

SHA512
d78374aa16e35beb0ef8fdbde85309dc30893c0b5cafa8b73607af2c10559490270ae367adeb9385c1bcc55d0efd95cc76b947586103e91f88a4234d5f65c717

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
53fa4956bd6aa62bf554eb23ff4ede29

SHA1
23d517a6cbaa8ee40efda59c09e0d9cc8b28d0ab

SHA256
f230e2d4449a9373e641d0d858e1dd209b5c028741172c2c91576445be775fd0

SHA512
7cf878291dc6be8615521d4c7f93a37d0ad7bc96e07a522cd0efe24870955817a1a16beeb5e7ccf012dbf6216a462066144a77b17ca62bf84fcc9c9f8986a451

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
fc3e45b8a61cb93b6c2a405e0b993226

SHA1
1addd93e255db12b5293807b76f7aab6d0d5c38d

SHA256
5e600c69d7ca685e096105e8391f2d0fe6e0cc8425c35caa1530fa6840b800c6

SHA512
a464956124d338f81689babee85aac00966978e5875ef0da747e9a50135f21e3855a9ab5933265e8749068c1643052c8ce8b50d234c39c54d69a34cb6d3dd62f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
19db282aa0aa89d80b299220e8fd4181

SHA1
5e14bffe4d174e28f421902ee794a8bf721a42ef

SHA256
75a7d50e3e4cda628dc4d2aecfa02ef21d08f9c9ca63950d0a1160e3ec7a2232

SHA512
1d01aa38b0820ea5b4d72426aaa8de934fc781cae30f50683527d590419b3328a86f4da38a215bcfb126f4136168ca4a014d7a279a7f01325a09d5208f729586

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a5393af8e1ca27851c31aba679fb3b36

SHA1
47a74a26c3fcdb26566436e7c5447d13f9d5f769

SHA256
f5929932773eeff594946995b68e24f2a988d052bf955f56b7802bec85a9200d

SHA512
2f996b5ea804b87ea1b4e79db7e562cafcc97420595c915452a6ffcf2afa7aa008bcc5e94af40a0ccfab2a5f4072ac518428098e9efc8a45b139d890c0dcc95f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6203aa6e407087dd55b6a661afee5ee3

SHA1
38461764bb3339db019794ba4e10d73654493ad9

SHA256
0683e8713f2cbfedd8475467afe45be66e93c7f3eccd8e6da4ed36b3eec71f23

SHA512
c21ceceb9d8905fdb5472fd0de397b7da896cb59b2c20b29b1e822b4d9944589c4e85f0e6cd4c4e083144be47b159a0a94ca784cb6179d912b9bcd051c08682b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
82458e6a8c4533703cf31bc3b2046d7d

SHA1
020c27eb17040bbb97ac823be5316e0aba096dfa

SHA256
e2233f838a550850aabb350347405275791d078fd353ba337ae07730a3a7e34b

SHA512
fbbb57cc05919a46ae812137d1a5fd7860a9310c7b04599a0f0f40ea9c1ed23e79fcd84c28d05fe4c7f41118844ce464c6c3d3ccb9f1178c7f1d91ab5af30011

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
3991f519cb209d1628cd6a114b6e3246

SHA1
8cf78ff05418046eefd4e434f448de41ce9f31d1

SHA256
31d6751e73e7aaca07384c84346e96d5bbe91464caf76d7bdef5e92c4082ece8

SHA512
e19f42d00e8e9246a7b765866228613b2ccb7f4f1a67a693c46ba4d2e5c1a0ad31c595252838118d32ce2405b3e5eace59b235a1a686eaae1828f3ade18fa210

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
238b7cceb30781dfc321b43185461b6a

SHA1
8e05eb8a73807d789a4e8d4b13eb9d444d1a7d25

SHA256
5486ec3c5515ad9acb6f069a7a9a793b1d19511b007f3173125e4694aeb02cd9

SHA512
92eea5726ae1d38b2cf735400713fd02d1d5f3027daa94627bc878aea848cd9428a3284d947307b5a5f9754529d3b63cf76a64d54f6491ccfb87a3fe6c9999e0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
f55275e1f36bb4fdd01e9be6aa90f5af

SHA1
677441347fd18e8a640e02ac5a0fb22787535d44

SHA256
3fdf46c67d481c1d78028fe89b7e7585aa1366b59a7c9db4e0462a3c8e0998b7

SHA512
011dd2ab2919d80083a2a04f9e5034a5aca6b573e07e456b5bb1f5084a278da196beb3d36410359aae0273bc6c9711c88ab8f879a849dda383829f8aaad1b12e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
88fbe9cc129d7cf0a1698f60a362b897

SHA1
d901a0205c92a2c1f1a4ca91bcfe15e28193dee4

SHA256
dd831d0d9a8b56c3c67e262617143248d78bef85d466f038a31a3160d987fc1a

SHA512
1c58272b557bb905f8197525a67e4c77acf6669957752fad096585042a3c51cffaa6dd4d799a551a50106a1d38f0e9832fe900a4a90cac16aa319774433c152e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
9f64f5e8cb788b632488e21fe5caacb5

SHA1
f340d21c76625bb26da474ac27d1b228b05ba4f7

SHA256
efd775bc267ec6597c29765b7eaa4cd8ca711dd6de9aacc8dc79fb96ae3b6dfb

SHA512
2b002c8b271a1186e403b7db3f79fc77df4e852827279936600c3f3ec40201bae8875e9413a19c1a5631c409a9feb1762b5eafc9a246adfb2a8ec2a2a2e1df8b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3d6e1d3ee31a4a6bc3216a75711489fa

SHA1
6ffc8c523636b2dbb3c78f3a520679ef2d320713

SHA256
7eee4d63c4e93bd837025b274d0463e2164b5ecefc64b91bbae50ab04be97ddd

SHA512
8fcc4ee5ba7a86eaf8780023663248a7591010da29585185a59dc9fe760c673834d5db0632c713f118ad18f322a55fb3bf5318eb70facd523638943428386baf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
0f183552359c04a7711f0ed6a9801999

SHA1
5991b2565c856408512e8b684714bd50178c9240

SHA256
80651e42bd62179384ea4b8dedde3a6c2d8c1983ef6d7a789e28abc4deae6ab6

SHA512
52ce473b658024428e5623045c62cd0cc361291083cb1ba2597c95028bb774ea0d999bbeacd58686e525d84f6b23fd8e17fcf20efb5e3555feadaa76863335cc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c2ed7b8f9505267eee1860fec8f67291

SHA1
e9d9788fb0c0af54d51072171f1565d71fd1a323

SHA256
f818d214faf8360a290bc7f1fa5c973abd3d63d85a10f625ce604691d018f899

SHA512
bb869ca1715b05cf755fc18d1b42a89bcc045af68d4b940b27187c0998836d2f75100a2d5d6f17600e3494bd29b56006e6859c62a76805c86cb372ff510494de

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d461ab94dcd6f1fd8d70eb52ac107b3a

SHA1
7218e53bf554f5ca85169b5115ad63981b397af0

SHA256
3ba9bb54a63cd1a142eccb99df8615261cece1c086cd3e215f293a834f98d375

SHA512
19229df68a3d5a75f06a835df4539ae7f43ff58de463aa43d331d76f02cc3bd687893ad355b60a2880d2ea2da9d46dcb42bc9e2181cc31de895a9d9d6fde3b86

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
23c16092a966d69e1465e50ae9afd7b6

SHA1
4735ef9ebb88c31f056efe010af55ff25441ecf7

SHA256
7a68f0a69b08207ebb941e68105e0f042238ecfa173a165686d71b5d904c00d2

SHA512
12fd0f888e1641b362ff611bdc7370772d0af9c36a936aace48cbc035f2d39a00399a3c645a3cea1290cb6c3062f9499a6062c5be6c6b58a7df0b67f08047841

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
5cfd916074df0f36b2c7f862b1b28136

SHA1
335232e9e70a3cb99be314be16761f638e5249c2

SHA256
0b8a2c43b34f4d2b2f6d0a1e4d8c683fe1726361b09607f6efb231cdf7f3ab43

SHA512
51e81a363e3f29716e1359450b97aa369f2360f99cf9b37f96a8810b6f1e4dc6cc74f1856b4564e74b0cd38d4ae0ef6181e0ebfab4dc151e5e7d04ea1dcea0d4

Download Submit
memory/1080-265-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1828-264-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2000-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2020-519-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2020-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3048-136-0x0000000000400000-0x0000000000576000-memory.dmp

Filesize
1.5MB

Download
memory/3092-25-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3092-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3092-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3092-147-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3168-262-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3172-19-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3172-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3172-102-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3172-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3504-96-0x0000000140000000-0x0000000140198000-memory.dmp

Filesize
1.6MB

Download
memory/3504-86-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3728-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3728-458-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3796-513-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/3796-103-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4204-518-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4204-266-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/4224-170-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4408-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4408-95-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4408-0-0x0000000003C20000-0x0000000003C87000-memory.dmp

Filesize
412KB

Download
memory/4408-5-0x0000000003C20000-0x0000000003C87000-memory.dmp

Filesize
412KB

Download
memory/4440-137-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/4472-261-0x0000000140000000-0x00000001401E1000-memory.dmp

Filesize
1.9MB

Download
memory/4624-83-0x0000000140000000-0x00000001401AE000-memory.dmp

Filesize
1.7MB

Download
memory/4624-81-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4624-72-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4624-78-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/4664-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4664-517-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4728-263-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4888-48-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4888-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4888-407-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4888-54-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/4944-123-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/5064-56-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/5064-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5064-43-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/5064-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5064-37-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/5068-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5068-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5068-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5068-453-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download