359089c2120220361d6e08e01a44518a4a3047c1ab69ceee8d8f0b192d68b0b7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
Size

24.3MB
MD5

b7966a5bc70dee0bba493a1159e91e50
SHA1

87f991de02c35cbecc04c4704de2c07719d1f5e9
SHA256

359089c2120220361d6e08e01a44518a4a3047c1ab69ceee8d8f0b192d68b0b7
SHA512

9cd3d4c58c891347654b4ae3a583b54545da769ea0e1b551d0aeb26b46498af4fa501dbad5467f02e6f940de547dce4d0b1c8009a757a164eaefb603ad6fdde2
SSDEEP

196608:zP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018eUtq:zPboGX8a/jWWu3cI2D/cWcls19Utq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5048	alg.exe
1892	DiagnosticsHub.StandardCollector.Service.exe
788	fxssvc.exe
4820	elevation_service.exe
848	elevation_service.exe
3068	maintenanceservice.exe
2288	msdtc.exe
368	OSE.EXE
3472	PerceptionSimulationService.exe
1696	perfhost.exe
3100	locator.exe
4480	SensorDataService.exe
4608	snmptrap.exe
4808	spectrum.exe
5036	ssh-agent.exe
2940	TieringEngineService.exe
4852	AgentService.exe
4816	vds.exe
2404	vssvc.exe
1172	wbengine.exe
4976	WmiApSrv.exe
3068	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\de53319cc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a961bf1d2ab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b14d601a2ab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db9b6e1a2ab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d26d4e1e2ab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000779e9b1d2ab7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067396c1a2ab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2eac81d2ab7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	788	fxssvc.exe
Token: SeRestorePrivilege	2940	TieringEngineService.exe
Token: SeManageVolumePrivilege	2940	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4852	AgentService.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeBackupPrivilege	1172	wbengine.exe
Token: SeRestorePrivilege	1172	wbengine.exe
Token: SeSecurityPrivilege	1172	wbengine.exe
Token: 33	3068	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeDebugPrivilege	920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	920	2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	5048	alg.exe
Token: SeDebugPrivilege	5048	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 5700	3068	SearchIndexer.exe	121
PID 3068 wrote to memory of 5700	3068	SearchIndexer.exe	121
PID 3068 wrote to memory of 5732	3068	SearchIndexer.exe	122
PID 3068 wrote to memory of 5732	3068	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_b7966a5bc70dee0bba493a1159e91e50_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3532

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:848

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4808

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3144

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5700
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:8
1⤵
PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
2b9efa3075d3f3dadf6b894544239817

SHA1
d31506bad7f3370995c740a3f459a7bca05d0dde

SHA256
283bb085df57ccbaf509aa33c35594470fc952ae31013d92a6585c5fd0ce7f7e

SHA512
bd7d4f7f857feff8d61fd137be5aa50b947372ad61642f084bad67271f65bf651450f2748625277f8e7cefc6bdfe61baaa5edfe3c9cbf5394e04590db9237310

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
37f3be96f23aa246444d05e4f5ca05b6

SHA1
2ae5a69ae4fafa528f54808b3d44d5ce2ab02821

SHA256
8082c04bca7107aaa6790f3712faf9de553e2b58fb7a8890138a8d7d9b471cdb

SHA512
015a3953989012ca3af5fb99cb89b8c28fefe11e4f35443aedfd3d16591ba32ea6274c93e08e824f668a9546d563ce76c9d483f1a52ac8a6d95c480d886dac60

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
161e6333b9cf0f33ef6963abbe881673

SHA1
78327d36e4236b046a0d68c5da0a9b5e32dc8d08

SHA256
3eca4e071b683a15a8586422f811fcab5995a368bfcc7b1cf4ecadd84da553a6

SHA512
672c304ebebb98b4314d5fdc32fc4ab19f8419fcc9bea38b235a6b6438efed5ac8036dab6205cf539c4d33a973c67fea06781ae728b09d0ae212e254baa28b62

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
14e6a18c88c15cb5d1dcc4204f7ab86e

SHA1
4d21187ecfd3057da1a22402638b916a6100ffc3

SHA256
3f3458c7aea4bf02078cf7a80ef41838b50b85d8768f6e36eeb042c7a7b82a96

SHA512
4c37486e75fbeb6e45b557e8a8248c60938f1450305415af84189feab95e74620a6ff16c3e4b0e75c13f42f51ee2e78876a68a7091a7348ba72d2cce2934d485

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d84378077d07a32108d0f06912d95461

SHA1
e37b8e553420c89144efb42bf16d53cc7f2abf4e

SHA256
fe32f4c0c44a06a66d8cd00b26a974be35c592ecbb2406fa11f5bf7911649c46

SHA512
a91bde687ccdc5720faa4c794fc9d061a9629d77baefcb2963bf6973edb544497ebb4b0f9408eb50ae9888df64ad047ff6bc318c81219db2e980481dcecb7d9a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9c66cf41836dfd71965ddddb37782d85

SHA1
8e3b81891b63a19edbf430663b4fef800cf809cc

SHA256
a940313514c047f4e78cee59913408e230911de0da3b2318fba12df9672260de

SHA512
f4ee1a4a693ee6073183eba2a57282bfb6d9b21b53db8bef5e58d5f32ae05a9c77cc206cac4abc7e99d295ed891bc5873be97a437baf7b493d11818c76ac28b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
40bcb43a9a3ccdfd66a5e6b5e224cd9b

SHA1
d4f380c981344206d2f3c8d6f3ed23a8c62db2ae

SHA256
b124478742adc54a27732d7b56a18215247deb55052fe9021c48931a33c9fab5

SHA512
860e715b34de37cc6018d8fc3046893a21570a487e51790bfd8ddd5bbf2bc41ea988ba827a74218c2c8a6123fd067336f15bfeb15343a767e9b5c49540f2bea1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
f35ede6dfa2130452722e1d1773e6fa6

SHA1
5ab90db9263dd3b2eecdaa8a98d7b5e75a42957e

SHA256
a8b3dc84e9840ed315e624a384529450f76c9c931c0275edf2a800af355a6624

SHA512
ec28b32573152a2afa30223a9b0017a05639bcebd73786698f5fe1433ea0d0fc7ccc2b01498efb75b71a5612e6b6bc1cdb8706fce23769f204fffbab20e1ff1c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
4a8fbd5e24b88d9fe4aba86b04a945eb

SHA1
c2926e4da75548815a296ec75a3f7179f17b73ab

SHA256
4c0c456f8773c6bda6604e036cdf86c5b386c1d3a8fe6ab9e061afcd8d2ab9aa

SHA512
dc566571c848f099c0ec657d089fd83179849ad7783b2f1ab9f5793363e1dfb896f666d07d0930b0ae3827268af2e34a453c42ab13801aa31f2ee41b08bf69b2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
394e0bd7db5430c5654f7549aa473a14

SHA1
120c1ec894cf339ff31f4a04e7e8cd42ac63b2ee

SHA256
7b09ac1d5acd5eb45f8f98a3710f8308808a1c7eae71f131021cbb4e06be33cb

SHA512
1f39bb60712b6709a5023c3e0072e0d6b92ce7ef7979cc51cce187c53e949cfdffb84dff8f43b8e70ce203c306f1294bb76597bdc3475f11ccabaa9b9edcb45f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ad1e2636d8a6ae10f0d9d6284dc3419e

SHA1
e69a78feaeca1d779d2e492d0eaeda917b11b94d

SHA256
110e5cd4c41931556f401409d6aa79915e599844ffb46270250b65f66be78be0

SHA512
ed82ad54ce4007f19149cd6cd348145a8f7ffaeb3cbdf7a72042484488515d6e4d5c0aa04b09d98c8d115e44ebbd542faea88e0dfe42b5d2b49da1c3e7b013fc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5b1deae5c6444669b25efec9b4fc9e06

SHA1
6d6537078b4ceac3fbae8c4607773a9982693578

SHA256
260a511a444f725b139f76344ba0af453bdc3be8ab44caa52fa2df36cb31e5d8

SHA512
d6a357899dd71c7a289c58bbed31fbcacf2288ea950dff94b095571bfb4dedfe0584dc212d009818aa0485ae8846183ffd615d536d5bfafd83b49ef1f4d11fc9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
47f9f7463244c940e1906a9b5d7f64c8

SHA1
b7e8ae7630b8eb4d0abbada86e4bf8dba56f158d

SHA256
17b5c3acc065aec6ef2c3c892b525bb4c03d82b891c4addcb7a672c357a56439

SHA512
374a7986ff4b33da79549109c9145615fa93ec4b2e0a5a5c092e8567d89ce19b0cbef10c2cc598b29c11bab04b31f70d09285739b3b8eabb7962fd3522ee83f3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9202799a7464200d3875621c3a53ffa1

SHA1
172e10445343161d494693fb7e47b2e38919a4c8

SHA256
124a26d792550020824198a3fd6fabce35b8bf340c64dff4968ecbc21748a9cc

SHA512
7863d65039342274de18ae1699f8b220a2faf6c04a2a03a59db4b6f8115916cdd403108eadada7972bc37f8037a36d53e37b70b7562e7f48ae69fd0acd57d718

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6286395181699cb9ae9e4185894c0f7d

SHA1
1b4c26543a26d86147fe495919872b43a0ba25c5

SHA256
339597ed6e600246a771986d9a22c05a8bc5e67263f0df7dc050c7627998ba1c

SHA512
21f398872cb702d9fe44646c16cff118a0ce78693d7dbc2b155ab2036285c98fc61708d8cc01e35dd2ea45a697c70b01a0c78754243917489a253949a7860150

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e168bf31fa8ae504389cb0a2003537e7

SHA1
4a3c027405a45fbc051548eb53cda25043a6190e

SHA256
97c33b92f806f9fdfb4e82e3f4860eb3ec0e225fc6370122e79c8669a043dbd3

SHA512
c417f65861e233688573262927e0ac30d59c36694f0c356da9e458efdc93ee5511199f68e745cee1260f1ab4b7f8555ac317342f4fd08780babefa981d2b6e22

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9ac986900151b1535b54620e083b68a3

SHA1
57c275731be58d5bcb6eb5f8c730a35f53894c17

SHA256
68a6daf829293ff0d4ba62fbd9d4f8de5ecbe5cb4f3c595bdf706f6307f6db61

SHA512
98dc1ea09157aca3040a9f38880f7e687becbfce927e5e7bf2b6f7c8c5fd102e7c4425e18b8bdfd2c71d47ec16dc85be840d23f8f1dea9143127fc62ed03320c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2b3a9ddc32bcb5260d3dff9aad05c017

SHA1
34c439955b6e1c72c5c5b6417d2601f63a8b9825

SHA256
f2afcb5bf1713dda9600ac7dc0fcf0a2e64bf5f06421e02fcad13c09c37ad11b

SHA512
aec405ef6beb725bf6e77beb2e2ac3d5b30fc356cd96aa009cefb5b8b0c2f65e14ea5289fe9509afbf2e8a989737553a1b8534ae2b6709851556a91062f599b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fff8ae32724872b7a47ae1877c050a12

SHA1
652e2d9eba70e34e62018b6f2473d24af9dcd284

SHA256
522707c87756c7d321cf56f01e29b1e6455ea314dc132fadb1db557656d17264

SHA512
cb7d4e6ae1fc9cc9b6f25d7e94f6dc08810787c4f5259c9d463a9eb063151a06f5033d48e0b18aa94e15959b37e06a8e6bb9dc0c0da2f780955df8bc344b56dd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ed821fd569c10fa6cb5a288b42d9f3f5

SHA1
28009e52852ae600887650d6ab12800c4a6e85d6

SHA256
cc2045b875cf7ac4e73fb5bf644bcfc279cb03276cd118e1de818259fa4ca7d0

SHA512
cd11c442791d7a43e94719f55b3cb691ff1d4304d06b36614c44580c2df2e48c7038570cdd4ce872d610b88ef0443151370989f7a30ae4f549f951dd35918de3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6068f2f626b2ab7044b2479ce9bc14e9

SHA1
2a959a18fbff11c45d1d1e321c785110cf65e2e3

SHA256
ce97a8490b025c364b9127d55f9ac379c34ee4fb7f5dd743b59811b028f255eb

SHA512
e45a485bb99d4c3eaf0858bbf2e6192a4af5e5740ada483317655f46b7787aa975e95fff9a74430955d6fdf574f9a1d4a5606a0911e3b70aec660067b9ba4dca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
44ebf20110c74985de24cf9a8063671e

SHA1
3a1d809c59e71ecdffcf1636e1ec6edf01bab724

SHA256
d426e26c297d40d7e81b5ed1d329f3c19001a55b91fc6f00f2d0bbc84f238a2e

SHA512
b8a2eb34abf9e610c4caf97bd674ce365a2b26077a60279f5c0cb5a3506ff0f6a1486a42a330959ae8cef6fea56bf0fa267f6f881a714da809da43078db1f6a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
41be266c582eef394996f01dd6614408

SHA1
2a7e2b8c271686313b029f5f0ac29825145d1901

SHA256
13df5ada047ee52808004574c6e9221195ec74aac86bd681714e1824b457d8e6

SHA512
f1e7da166b4b24df513b5c5c814d981761d11e943edf073bbeaf56b2c4c21b53920a6a73bf9e2efdde662fe7c7576be87d60bfc0f42b2ddda05824867d0f5753

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
623d7e847f9a93fdde4c2828b71c1793

SHA1
45e86ac92f94650dd1533c0b59e6245858b058e4

SHA256
5b9831f3fdd0a82752a128a62d54c24244f7910e44f93e996716d2b556a72a16

SHA512
04117a5dbd64024fb15b1be6ba5e6886a4b4deddd2012bd12eaa20019c9ce63430bd314270a1ab6c2ec581c6e0fb320a6bce208107a874a2e25b8555939d629a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a243b5ee8dfc308d83466b0680d54e66

SHA1
b3135da6828262d24731dee9b2c3a2e224e64167

SHA256
eecfca79dd4303ae638890c51dc18988b75537d9b1b0d38a932759c11af2d4b9

SHA512
86fbabba082698dd9eadcd499f43e1c62262bdc6268900e5d52cedb531629b780bbb432cd3361c8fc583db86dde85c0fa8637f9c2e45b4be874ea152bcd4f59d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a878728fa7e085bb55408b98153d9e85

SHA1
8df1ae196380fbadb2c3706965948b37846bea5e

SHA256
e16696382f96115dd1db50b64cb33a5f11aed1197c769f5667650e6894c4c21d

SHA512
bbac3db446009a79c26d7083554b3737b7afb131bf6eba14799075178361a1086517817313de90ff9fe7cf0074144bbe5c6427a374f87321e65bd3ff5f094e26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
180c66ddc5813004f11128d4630f2216

SHA1
101f3df3fb221176896455482efab31011396a95

SHA256
04bed349ac39b258165de7b7278cab44b8da2de3a24db3123a940442f115fdc5

SHA512
10f25be1a6e06c735923a8cfe2d5bf9ab2a29f82b5b5be97cfff86dcb47897b30fe22141a32028a683737c07366858cefa956d3550e378751bc704c032af84b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5fd5e9d95ae306d3dccf16d0f1a4f850

SHA1
57ec449d374fca843ecf731180f884e9a08fda25

SHA256
7b5f553950293470d2d34cb1e7a739e0177530792777adf30a94e4b26a0894b7

SHA512
0a79b2977b2ee72076b67413a263dcd439ce4597852fe444f1f1419a332767974fc99f4b3595e1ded9ecc53bdd01f173d2bb59ee7004307fe8c90ef9a6ca4e8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e63bd90cb67ed0e95bc877a1fd658be0

SHA1
d10944807bfd302bd6a977a8daf98996bcd30ff3

SHA256
9891cdec950c2de006d7e3a464ee9b09e534ee222cf93e96447270112586a1a0

SHA512
22e5503acf7f6d525349181dbf0549f02001a34d115214fbb459101cf845db1c1b3037ea47fc7073cca34bb51e9edeafa2554236a00c74d5a36782a34e60a7f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0a7bff5aa9eb739d86eb2160541117b9

SHA1
3c96d886e853b754639db2c57ece8a4fc67ddbae

SHA256
f52e71e43681f6cc0624dae5f74dd1a0d10a6e5bb829d855ee4890bc3954207c

SHA512
5bf0993fc704ac608db6cf705f2efac81cd814d2e18b3d6f23ca0476024386c8c7e86e2a61d7c5c5c1a8763d00bf748188b59439cec6f5bab463450e45e593f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d8c8b7c17fed05170e6a8feaeaa60b52

SHA1
8a43af305796a1bd93a38ff560eb86808ceea5bf

SHA256
59aab0e71fb7732a257aa0b02e3ac18f5cf69b57815bcd6406455143785ee288

SHA512
ff7333bd8ff47c2e783ae338365c1dc214d61185f20acc97b42070c90afccae1f192156315935e8ec3cdd862db628d786fb359d5b9d147900377b5f25e2ebbf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0dd07ffd1a7d277a88e31f35515790bc

SHA1
243b06fa8c0b0eed1a3159fbf389d6fe34612580

SHA256
0f88ee163328a525dabb77166e1ba7fce46545495fe87093ac2732be189c2614

SHA512
ca24bde35ed37d6ee2865cfeb7d110af674aa06c1bc496a0e3bf99d7c93c0aa2ea3d9c733676f499e6c9c981fa1aa21f33b186b40997de5a0cd57f96cad368e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e59e4e1af4eedca7aa859557fee632e5

SHA1
43698ce49b42b11971a5e76a554e9fda98b45102

SHA256
28e4bfb55488ee20457c0a17629cacf686417ca79db2cee6b6e21640cac0ef5a

SHA512
b028cd328577e4d8c372b05a2594abf7949ffc79a0f38fdc0269a1f981272d12eb30dcd4006c69ba425f993fd346ca83a1526835616296169353c9cc6afbfa92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4f4f5614effa226f991ad138fc41da85

SHA1
d87b782477fb823bd647c52fa69ed9d035090af6

SHA256
e7a675978eba104a39d617f5f5809196a6133ef49be23d5542edda631b8ea59b

SHA512
de38b8db270fda101561a8bc3b3f1169bf81eab85419d9d95cafbf3c27f72bf8736873ba9bf98a2de8e1874a748897e084c4a042597536082895570a1b2932ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
7482a84ae67b35aa6c1fc2820c519c8d

SHA1
11c4324b55bb1d5f08b34d84d5c13476c4127025

SHA256
d6831f91e9b13e11b03a85d608b4a145605ca98090922a6e398abf6a3c83a1ed

SHA512
10c372e7c500e3b623a294be571ab7016d4cd38f396e906bf898f9e5d1cf83fd741220c3ab42ab01c071f35f50bf05e654c173657ab970b474832592fb55f167

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f9dab189524a889dc1c7b0d800f3d175

SHA1
b2b988bb3f6664dbae1db8a2a1108fea09fda8dc

SHA256
dd59e31e143a59a77a300176b0db105e825ac22936f0554e66657732e9f3bb76

SHA512
8e373dc18d4f6b90698a86a0af3f72e9bc48bf89122bdc20feb75d915704091af3d56322a9c43310e2368325edcdd373b7c122e10a1047ca66a3b49bc00a07ca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
04b28db245b50f74f8a0a0f1dd0fd9bc

SHA1
1eef33177e6fe915eaebf57ce9fe5a4247a541cf

SHA256
55c5473d80ce606364dd41195e07d811c60c620d4608af5462e225952f24fb9e

SHA512
d94880e948cf8fe9ebe78675e8bfa87f762bfd2fa4ed006969f669aeba6a87ace86e7504ae4cf56cd4e425847880c34acdb33b54a6232bedd6860c6c0b6545da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
99fe6bd162e7131390acf317906ce2fc

SHA1
8eebecf52b24f2e2192a1c5ac7a6b645313b96c3

SHA256
2720280d7e18f09dd06a6ca87f10c605d221ac0897691f44822604d996fec8ea

SHA512
c3f74eaebdf645895eff8e7cc24df80b53232db6faa08e39b9f626e16c0a775aed14fa6a837a344aed9eaba2edbcf36bd91523545ed0f2a7a7192c3e056c2b14

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ec3168bd70768c193e41c75a2b2e3149

SHA1
70da5b25b35f5a83da785a84cb7e87d1fa7e4606

SHA256
cff5b5006a423d37377961d0c087369bb677995a25b41560d54bc2a2ebc6fc52

SHA512
709c56ffaa392129ea89cec333bb89fbd2f0aebd0b56ca290b80056144dadc43686d0b9bdc5b0613aa5815d2547fa147cfc7d151e8f4cbc17aabfdb606b8933f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
cb445a8f5cdceefc4a4e994304246317

SHA1
e69dd336a58a71e8df7f58001fa8fbb42ee88814

SHA256
b3d92f569fb640dfd3cad1c52893e1f227fa7a228c4017b3dea78ebd9394de00

SHA512
dcafd14a5d7f8c723c01766d6a52333e12e6976ef602ba6f27ee0a9e7b25c32bdaea0507adc0ae75208c7f0af3be84ee4b0c5a7c74755642b5fd4d780de895d8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8636100799ca8ce00a81f79029e9c69a

SHA1
c7f626d5bbcae7b1ec5760080b55e883f177042d

SHA256
f9f4198c2c2818e781166bffa40cb4179c0267b5ed5f5c49489997b7d8d9b916

SHA512
4bed47c166ad87cb42191bc73e493f73bdf46d41d4e1fc3bfda2c91363851c67fe0dff1d78728ad7ce98ab84c6719dca83cf22f73b17c20ce13bf6a1e2105f0b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
24dde690b64a2f17f3faac225cb73c7b

SHA1
921e906f67c1b0f154b0edd6f6694ef86176e917

SHA256
3d5666c45670e5997006e1ee9b59dd231ff75ea51e3aa6939ad5a9d42eb4f99a

SHA512
c755401574062195c70893ddd1c53c88544acf10c5ba572f5fa13b46ed56b76da3937c0855e006534f7e5acad8cdfe0107010dde81ec23ab1756afabf9e2348f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
432a934cf5126ec4eb65b235edb23fc7

SHA1
b0b5406c7f0425e1e7e89a72e6306c76f878d96e

SHA256
f336598b2162c356808be09f80440253cda18c6ca3e007cf41edcb6ef5ed6677

SHA512
8482bd76adcbe068e3425da56baa581512f7e212f854a118d159641fdcb7ac5218d5a3f7a3eeb8f65064c66885fb1c27d63bd5ade36a8db00060ee8aa4c48179

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3e2bff01d1dbde6441547e6b6c9183e0

SHA1
5626749d142fb021f981a74c5f21a93cca25bd48

SHA256
6568f3d6e512f629590621f53aa0ab1d7482fc2b3485506b0e58cb55229b68ee

SHA512
accb955c46b7ec93befa1c50b43125decbe99d6c0bf55348ca41040bf2061e5bdd9de3811ac1083b07e860a593b2dc84dbd971fe3c83280c69be0ca15d884bac

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e49d233e9fc8a037874edcdb40c67689

SHA1
cdc32c96c64eb3065c16f46bce6b29206a35c3f1

SHA256
311b4535a0b49af372e01d6e0cae0e728d273c890ca3f28efe0a6ae1c90008f3

SHA512
e576f480077ccb916d647e363b91f5d5836562ea080c49ae3920b390e5c05788607320ed0b223092198dca2c1d3ed6871002df38c459a22f396916f7e554c199

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2a6915045f04e06e87cbd30acd0d9fef

SHA1
469a0791802b4bb41e599c6e4d49c243701844af

SHA256
610d5e769196d4dd3e3373e3f8ea8f20236f57411cb92822543589b88a21e3da

SHA512
4beffbc6847f22cdcee61bc077d98c6054ec14e15a5ec1ef51557070eb45772a16c97e1ffdc36c21c6989e208463bd2786b1ddaedeb09ba003264a56f80fc06d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
76d47947e71b98745cdd0bb3c7be66b3

SHA1
f31d3362b088f2b7abe94085c293b22f321db380

SHA256
2a68e293ca6f72823f8007f30ea71cf98434f4276509886cdb4ef4b789b0289e

SHA512
175eba2652873ac0e5aee1be28e3a82cc635b1b450f3accd51706ee4442c83029fde97b87f868f68fc86e950b4ea61e9f2c7c49f773a1e0944183b9862bdd195

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
625ab40f04f9a3f6d6ccdea52617d784

SHA1
3c05a95920d0b1ab11ca60e68aa95a3ce7504029

SHA256
9e70a9c6569e56d899972f13bccf9927531b453e2d2409c14fc439f78ba358ac

SHA512
7a12559d8ea15b6e8923412201d3ad97bc642fa6effbbef4bc2a0ae8298336c770067cefef7af266911fdbdbb7d1c9c6bb87cb82c9fd0e4cbf9fad2239251dfa

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
08f20cd7decd9d7e7a27c82e7432da76

SHA1
63bbfaa6973ef4bbc5c99325af2e207d5846a08c

SHA256
28d49795b6e5db1cc8dcc4ec32704c3a2c32b9fa06b300490650c9c44f1f6684

SHA512
cc5d5e84467e2b665eaccec30178e1314ed2068b32ca781890a8f47cc9d86be87b54d37cbd799db08d24b958e867f8b262c928b8bee774be58d86471158b9534

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
97ce4a02055bdf9f6e52742648d704ce

SHA1
c3df94d765c7377fa8b43615a9be326656545fbb

SHA256
6fe5392a30143bd888642808a3b4402928a5abb89e753a8988b6ac18c06608a5

SHA512
01c7b9e8c1e2a0858c11d8c79c0e18460bffb004bf49fd63ef56ee1a8bf4f7376345a190a4edcf05eb5e850cf9684ef5c5e0bd330bbb143dc44660204dce3a05

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5fcdc1f645b8faa0c492cb560dec98d0

SHA1
4941a220ba5e49e6920907c0b46cfede8fbb2e08

SHA256
cc587be063dd0426879df90fe841439db8235630278528797c90dfa3881bff30

SHA512
f25b92dba8412ab0ae1318b9d20d23a1c7ca223f675d2d05362355a0c50f0954f3afb071d4e8d1ccbf51d9cc5e6dea553f56891a38094cfd11d05ec736428aff

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8fb0d83051cb994f533835d158c1342c

SHA1
0d3ddf65f2c32285c1f074d0c15f9b686b36ffa8

SHA256
5b45267311e3fabe50244ecd9487aa4127af25eb575bc1586a99427c71ea4b33

SHA512
f8f0c53af4d2375a7fe0dead7061467768a5698e12b64ff334ff0d251567e4bf4423b7db3298b35cdb9f02cf8edff0575c1b0152f57af86ae3666ea98f089844

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
255c21a9a1035b620ce672e134c5961c

SHA1
1f538451bdf1946d8c49429dfc040f5f3d3b78c3

SHA256
7b444b26f8c59438126fab41704b68d4606528e54fb332dd4468a80bee65c768

SHA512
6b574e8bb2dc19cd7c9c8b691b611a7c15b74b5e738d6d7ae86121d9cf9fcea2691ba930404a18d4df9d992c25b4e15c9413bc8ebed5bb29d96c5f55a9ced7e7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a6658938c41a7c5a0d9deefef64053ad

SHA1
32c5f6c690d95bef8633bafeec03c794a70e81a0

SHA256
0c576f08afeb11b8a294cc2f3157b855d517074e05c5332569dd1ae911834926

SHA512
03351589d8879a0fc16947741c8012be4d3db430924bff7bd4b3ffb64ab5bfa5818bb4e24c2585fc6b17d4b8d301833237c8af0635d0eba48a28dd5485282449

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
71962eda0f6678d46f6128a079da2b37

SHA1
a6f7351f67cc65c89de24e1681600849a330a2c6

SHA256
277185d886d9f7979be879fe62d7d20f014702390386b899516ce8b11ec9efc0

SHA512
76a38b916840b19d29429d9bcd971820afc11a2c785f6fff6b9a352d92eed56d36aecfd33151461559dc9fc0dffa1ceb8cfbf4a2d5f24a54d292d30a22869b01

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9c130b9b11243e8cfcc41e9f49a63e9b

SHA1
c0861481e5f1ec1ee55d3dd7b23955af8322b7c0

SHA256
bc9d13aff584a5904864c103fed7a0a685f2f461c9f66562501091fe15bca64d

SHA512
2bf995df440449c48c8532b0dae7821660994e0e26c6294042fb8a259331d493161af436df31f45f23132fd1d59e3786bac46af3ddd8bc2480da015f80cbd2c9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7970fed84a8369d09dc15d9b25d84cb2

SHA1
66c8a8d847e3025973808d5f1bb8dee877a77b55

SHA256
7729307565af4d76c9aa06a431fb87ce62f6b3792b7dac3b34f241ed9b9a7af3

SHA512
b3da054d236ebd6c76e6eb530d67be829d61d003ac974fbb2d7ff5732f17b28837d918ff7c17d8dc237186d1b8ca7a9b07e1cf4910564fb20d86ce80254e426d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ec5ebc8f04d1f42674cc85f19cf0bd51

SHA1
b1c324d72e346af6267edf3d633819aa6e5546db

SHA256
f06add95fb7fe0ef196aafda1f8ce0a9f59127690c9c9ebf187f2c1133917ecf

SHA512
0af46072ebf72c8df78945e7f645336330dbe1ae4225d5ae6bc338602d8792de8b82df6859b315807fe7bb5e039b221417c40af102c1fa4b5179e412d36491ff

Download Submit
memory/368-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/788-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/788-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/788-57-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/788-38-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/788-44-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/848-569-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/848-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/848-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/848-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/920-21-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/920-5-0x0000000003D50000-0x0000000003DB7000-memory.dmp

Filesize
412KB

Download
memory/920-162-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/920-0-0x0000000003D50000-0x0000000003DB7000-memory.dmp

Filesize
412KB

Download
memory/920-35-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1172-274-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1696-168-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1892-33-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1892-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1892-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2288-96-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2288-88-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2404-273-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2404-574-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2940-270-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3068-74-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3068-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3068-80-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3068-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3068-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3068-84-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3068-576-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3100-164-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3472-163-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4480-165-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4480-549-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-573-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4608-167-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4808-268-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4816-272-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4820-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4820-54-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4820-567-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4820-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4852-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4976-275-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4976-575-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5036-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5048-10-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5048-16-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5048-31-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download