ae63dbc71c565d61ff336058e1616c872088b1a8f7a68d6b43944208c76fe7a4

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 17:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
Size

24.3MB
MD5

f43cc9f97a312ae4448655bf5dab20ff
SHA1

089fb3c86c4d76069fcdd4f83ce4b0b2480b7422
SHA256

ae63dbc71c565d61ff336058e1616c872088b1a8f7a68d6b43944208c76fe7a4
SHA512

bce37e2fa95f25563e9f3ff3f3741888a5aefae241fce9723c4e85e25accc2f0c007ede151614c2cdd42945fd1c905791f4c79b00e0059824c9be44b94a0c76a
SSDEEP

196608:JP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018H:JPboGX8a/jWWu3cI2D/cWcls1S

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4040	alg.exe
1004	DiagnosticsHub.StandardCollector.Service.exe
3736	fxssvc.exe
3116	elevation_service.exe
4624	elevation_service.exe
1744	maintenanceservice.exe
4960	msdtc.exe
3528	OSE.EXE
4616	PerceptionSimulationService.exe
4796	perfhost.exe
3636	locator.exe
4504	SensorDataService.exe
4708	snmptrap.exe
5088	spectrum.exe
3188	ssh-agent.exe
1608	TieringEngineService.exe
4704	AgentService.exe
4024	vds.exe
4748	vssvc.exe
1744	wbengine.exe
4072	WmiApSrv.exe
4116	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\30de3627293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000849aaf6d34c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d05f86c34c3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	3736	fxssvc.exe
Token: SeRestorePrivilege	1608	TieringEngineService.exe
Token: SeManageVolumePrivilege	1608	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4704	AgentService.exe
Token: SeBackupPrivilege	4748	vssvc.exe
Token: SeRestorePrivilege	4748	vssvc.exe
Token: SeAuditPrivilege	4748	vssvc.exe
Token: SeBackupPrivilege	1744	wbengine.exe
Token: SeRestorePrivilege	1744	wbengine.exe
Token: SeSecurityPrivilege	1744	wbengine.exe
Token: 33	4116	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4116	SearchIndexer.exe
Token: SeDebugPrivilege	776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	776	2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4040	alg.exe
Token: SeDebugPrivilege	4040	alg.exe
Token: SeDebugPrivilege	4040	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 2360	4116	SearchIndexer.exe	111
PID 4116 wrote to memory of 2360	4116	SearchIndexer.exe	111
PID 4116 wrote to memory of 4588	4116	SearchIndexer.exe	112
PID 4116 wrote to memory of 4588	4116	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-20_f43cc9f97a312ae4448655bf5dab20ff_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4624

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4504

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5088

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:872

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dde33ccb03052b5d8c4663764ad5f700

SHA1
58d0b886e3106072deeaaa434582f746f9b2c960

SHA256
d55014556804cbac93b1dbe2de26dd0e01add2837aca4cf3343dd6ff05368b38

SHA512
0ffd2ef0084b3348b94012c3a46b5245592d7cb0458e5d5fd3bc18b78e273f42339c2670d7fc475ed862ba13871e2f0ca87a0bfd65706c1a5f1b425497f641e0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
db5a1946740d616913eef3e790790ced

SHA1
9d099eabb87ca9a94c9860f099138b8cbb88f3fd

SHA256
3266967327749a7f86401c0a702d3f507e002743745c8d9d43c327826a77a512

SHA512
d25989683322cbf7692a7542297d26427f8fac1cd339531f2ebfa14c90ecec5c8c260be0f4d3ecec45ad73a6a20fabac5d410da9528a68fd1eb109d7b0c5ace1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
9659c9e69c6ec1a4b277b5738f1714dd

SHA1
07c2de2fcf7723ea914e4b20ae2674ecee8446f9

SHA256
c15ca1cfdd943aaa8616ff590e9e2d7032a1ea7a152ef73ae97e71b71dad64d2

SHA512
bd6b5727567b3dafa728368397fa37cd7a9991d0bd049463800b03cdd95c15dee5b01bdd20646668118f9d6f095f6a363bcdd1e63f65db4a4fa4c8ace9c266a8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d050b2f210688d6dc57547a08ef04f20

SHA1
d586b88675ba2a921a6acfabc93f93bc0115efea

SHA256
412743523239f93a8e96a04fde7643799fbe3142438966935a3dfead593cc5f1

SHA512
3221fd26ae085f227a9db44202c638d3b9434a4a63d988e5f1ab7423a0e53ed3762eee2dbccc2f15df5f2837c2c6d5c411bcdad2e20ad941a5c9af789d2cfa22

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c8fa8a29f1f5bbfc395dce91d7c0c62a

SHA1
f116eea7157d50488662f68491f0afb221eeb726

SHA256
5aeea25179647b16fe3adc0b93f051e89c906e57f481fa8929b9e3cdb57e3836

SHA512
b783e01d6cfd9e3f7800d25a37bbb34eba659d1d4b18d98316413b98d342c2c1d7b111af05b8e0b9753162f52fe933560fd564869274984ce378e23090973a70

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8ea06a48581a8cc9bd5e6d5ce3408b22

SHA1
7b7725298cee9d1538bcbc91b835924c63c3028b

SHA256
0077872d93e5a450cf41e5e87913a4e5b6c5601537b891370a8498c4bcf32dd2

SHA512
eaf4879dbd5ce00035dda966ed9d9117c649c9b8e7417451b6f08493841a08123e1983c6221c10a1da3b10855007e7d99c3536c98ee16ea4cf8f3eae0e34b9b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9aa98723e0b6d44721e31255d7df8986

SHA1
b14a1f20c232aeeb045bc72547123d7239f39c23

SHA256
bd611ca900a48f5fe103467b26ab4f9b96c9abb49bc64698514296e0e331447c

SHA512
97301faf15321afd8c9d3c633cb2264887ab6672528b09b81022da035b3e027f0026aefd14b93553087fe86910c47984b76bf37bae13bc3be6a66dabd06c07a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2fae439fbfda7029ca6436fa4c0563d2

SHA1
ed9036654364f7c6e25d88c648475dd797fa9ad3

SHA256
82e2ebda9a9fcca39ba1d372f37b10f44d935088cf10d89302a87862c1dfa650

SHA512
4de3cff7c5a623d1758720bd2c5f472b447c0563826a97667ddf19e1dfd22bbdbb2f6d73fda0814227f0cdd62bd090e5bc433c0fbb52320c58a68c3f10a32cc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
874598e9b495870e97b0dd857426e786

SHA1
fa9c043212d1f48d780884184eae782ce1f976da

SHA256
17305312f2b41d07acad4127e9a5424f9c902e39eaf345a86a9e5e724a70efe1

SHA512
350e36ce5f1d4899be87946d71102e63eee7a4aa5ffd9d7ab7b22f19aab876922797045903623e153ba5a2f58a6ae16e0a53bd26e3368c5fa1ca62bcc4334142

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a0ee833d4ce9cf585686fdbef3125677

SHA1
74d25ad51be180addbe2aa3c366de9da2520486c

SHA256
aab33e8c12f58fa3e3f66d0e23599a2f185cecd652710d07e9380e34ab837f65

SHA512
b8f8f16ae102d1c96336076212b60537156a84338d0893132766acbe967203179edd96c99b745f3856678fa2d81b6bb4c45d291419cfa2bb0373fd856b8861d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f1085029b316b95a18548554a4e7db0a

SHA1
d390ae36b6db69ce7edc983abcbdca70a4aadece

SHA256
0eb46a5461db9e104a967ca794be01d3caf79f421d5a2ee80276569d31329c19

SHA512
bcf20692f0a31dbecb414b6b6215baf87ae9398a4c19571e8a4f77f34043df907cfd88668b4f9a146b5180e76bb18473bd4769e2f0244d8d9adb3157c9f33f8e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0165e21851c6a85495a825268fcdac00

SHA1
9127be7a8997e7fa6040a26c733f693a89938dec

SHA256
7e573ad28ecc07d9b7ae247b42771277a7aa6487b0e244914b70495ab7515ac4

SHA512
4879ebf9a1facd86c41005c908c7f8c0bb8eec3955dd01a12f567d14ab1e439595b9e17fbab9e381b4003630b6ad87af1f90e6ca451d7ba6fa963e5d2baf75a5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2ea5c890bc37b13982afdc68068cd398

SHA1
ae40a556fda8b0ff03c702071a6e80f28b2db011

SHA256
35c026ccaa3980fc51dc24097d43e28e70529ff7eaa74a4c891e6353c297045e

SHA512
7c302cdb6dec93695e1bb68395e117111ecfed4e5f568e6a27ab4e3979311957759010140ec45c497d9ba6eef8f62fbc24b91805fd23798d21dbd4f8cba368ec

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
333ea65350da2c253f6e0711aab2cc12

SHA1
3a6a957e6e3c9a8da27187595862c4a9a41e71c4

SHA256
77aec73a6f9143ad38de968dcbc5b20f1fe7d00236b5778e8cd58619c1f95d8a

SHA512
53fcd22f45c24d76e225bc232de8751a85b68eec9fccfdaba93ccc613eaccbada3cb079b52ee8da6bfecbae36469d1ef4349ac0acf310fbff3532384ee11586e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
6ba8279ad7c82ff0d913270cb0002fbc

SHA1
5a222419557839f2c734cbca7322e7bd36da91db

SHA256
c4b1d4c102b49378c4241cb4eb68b3e2441dbf0ca66b3c56a9d6377aa561ba3d

SHA512
601ac0c5297166b2657c49a6ddd803c1478e199ce0dd5b897e2e48480f2fa64f000dd948a340a6a3951ceeedb293c9360c9a33b27816818d3f2bb9b8802288d4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
7f455c56d2b898c7195389322463f15d

SHA1
65cde44a3606c02b24300c219273bd1f0d7e8b5a

SHA256
eda95a92d316b2c1fc24a1eb8bfc84fa2faf5e0406a13bbaeb5d409086b09f21

SHA512
7518056bd62ddb02e75f60ad902c748c1261ab624efdb4ff997face4e369c05fda5a0910c988fef793b9cf57ede00ae91933c36c0620b0558e45fa2cc37e1c49

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
cbe4b4407172c1e037505971e076c63a

SHA1
409b94ef0b6cce9a00d2bb592c3054440e6ecd19

SHA256
3efca76d924ef85e3a66d689494034e6bf85df693953c755d79d4b484c6945c2

SHA512
74583727ced1f03a53dcbd22eeaf92a05a0536e9fe29567e3f413652d2f66f21e55cff3f82add9f53fd692de2b52ae703a424b2745f73e3752a8e14a6afa9409

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9965203a51d3d9cf67768368532b8565

SHA1
525a43b2685ead32b6079be75d8b07e7328fad82

SHA256
6b1b09d9abcde9d45dbeb8b5bf2ed823d76a37de73efa42058fc8fecb26fa2c7

SHA512
88cd3b3923c3fdc2a64768cef8aebc649b68589ccdd1bbae367e5a7a714aba33c0424806691b27a48ea92e81d238ed513e2bb0fbaec68cd5d332de4d04a1dafb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7707011c72297e90fb0b8b12cfcc4a5f

SHA1
13be8648cb030ad752ea99ba6a286597970ebe8c

SHA256
f18ff1cb8b83771c9acafd61137693255d5b9df61c7a180168d2014ee5108162

SHA512
96b1b57c5b2d44786eb5da07d6ebb994b8e14257d026e422fbc1b719302a64f00b67bb1939e556596297230721c9e0a870515d0abc1ddfaae46fdbe94008999b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
5a4fd73c033008e86cb28d3682d09cbb

SHA1
6955127e690bad7aa287f36a5224e11f49d26f97

SHA256
915ec0c9fb3ba12b151329a08497794625fc8e4be12d890755e4ef94c7afca8b

SHA512
01dae15081b050c98c67a05a2b9d3ce72641b684f4017f92f296c53584df6bb926661adc576ff730af8737da203e6b973bb4211f1012be28664fb35a46fc07cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
685144d70e932fcd4be0587c80ee1b4c

SHA1
e2174768bfe442e0a13e3479772fe0d637c375a6

SHA256
bfb295720e90551cbeaca9709d50922fc07b49498f5126fbe4e0bbb8ea8ffe31

SHA512
f6781a7ba3cbd72eab70d260c23aa4368ffddcd0c423fcfe3d8d712ef4973eb8e521a2cc98482b001635f2b4f89daaf862d8fcb70c8a9054ca16b2749d16d7ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
61b7a74df1aa7c77c581b0cf1f7a9b62

SHA1
f9cd75669627940b2a3a027cae03ab957783fbfc

SHA256
b8f8552700f0f61af33c309ff08d1c649d8895558691fcab6b27ea423342cb89

SHA512
4177059ee1ff37ee09b77474b8a68e443d609ca814ec5dc6d7222434157bbfc7c9e9c80cd495492348622ae12f3caa953eeccb87207d7fbb6ca98b241ad94c45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8210541b9749d39535e174749b64f50c

SHA1
24bc25bebe79234700df38e6ccab29c3667f2e7f

SHA256
06cc227dde8e471e25c8bd69516381902415cfae2abb57c9bba85232dc5fc9ab

SHA512
0ff645f6ec5467f0a7a9f21ea094141ebbcd3d03fb60e2e6882cae881a258179caac267b8812df9cc33c28713bfc03f13d4d4a3d1fe30a4e2374d5c105599344

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f826025f6cc89e1a4f4df28b9c167e3f

SHA1
a980b8324cc00f186a2265ad1b1b1ad9f3089296

SHA256
898f01f0ede41b7da3440436b6ef81d8abc4764b26728e23024e6c08d25e7417

SHA512
4b67dba3d6e11dcfb41f11c9d01a429e31018371d010d96b4533d6e895b782ed9dcd86d3b831c86f5387f6242c93cf407e3a93c56e411de14677523b84afad27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7dd371afde0c5186a048e30d2ca076d3

SHA1
ddde21eb1b2272f11082e9675cb855342bd3daf0

SHA256
b07a0985518bfa491916dbeeb46d9d5b3ee8dc5c8d436cbb31ed80471417a9b8

SHA512
9435344044be7f52495d4d2d9132018c2ad7a82035036086c25ec293f3de12fec41f0b7c2979e3b70bbe74e211e8f317d0a9e5350a062396efc9a006ee4a1d80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fcbc4cd7ab4d33c85d0954f1455a6311

SHA1
9a4a4a912c8053017e37eca2b26a4656bf8d05fc

SHA256
1556ad6ca55bb7e206195c8e4701eba5472264b7a902e14e8c5baffbac5662ee

SHA512
2b17e34a02798ac8dcf45ab104709fc795fa086986c3458b96585ab947be9caaf8f023af7abd4f15b812c5832125ee7333c4a5a5b7566d8efa1e5cf3c444ad27

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
7346a719e5cd599f1dfc6fa3a212ebd7

SHA1
724da01740ff2cc53b8f4271d1a5b74e339cc143

SHA256
6280c2822ceafab0a28a434958dcfe6fdb629a84482ac6e83c0ee35cb44b60d3

SHA512
f522cd45f1b19a762c2c1d9bd7768576d4f2beb7ab3bf24fc6b2217f048d0b93becfb26d85f7e9af07ee9dae6ceac9b5d00b8a25b63a3d1c65a4103054bedb7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5a8fedac8fe72bdaea5b2d3c003e9b83

SHA1
208f95bf45cf014e65d87ef597c0e243dfa05a90

SHA256
1b870dfafabb1fe8f2dc965a1d4cbdade41a6c17da9f9350ae219697908fa080

SHA512
9de5098217390885b3b18a794fa6b2ea16107e9de058e55da10451e3e4d9d614379f0b3b1f2e83a938603c2b180022a4cd2e7e54e7505a672371e261a2c00419

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9a80774ed48b09fc6de7082f6bb89d35

SHA1
61ed063957cc90d4cb9acd271e07464dc93a2a1c

SHA256
37a79e1eac5e3d333931a122b1ce603c2c41bdf9fbd9c595333187c774c770bd

SHA512
97e106047779b4a984910bdbb33b1a97a6d76ecadccc0f8250e1127bd8a1239ffc706c277d6497c5fe80532b878ff876f3e70d4187a3571622f3f0ceea093fa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
0d9645d4e844c7e8af475452c45e5683

SHA1
c47c44247f0a8dc4e462bc3ed8724ba3c4a49e8a

SHA256
bf7bbd0c7b906dd78db2a525c63d5c6de7ae891e736105de9c2978a03b9be016

SHA512
c95898b5b35795cd1ef244683371ba60c78ba9b549e34be419d28f7830bf09457019e125f1fdb5c9a975099241e797d59a1990caddbf39799571db3ca9ddfba4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a5094cfb9e01b06bcff5f6cb0bdc2abb

SHA1
4aca154b4300892db758deb933af3546ee6b5f96

SHA256
8dad8633b21ff0445311cce4a432b2816db7254bbc181dc5bb184704fc2ac523

SHA512
5500863e796e4f1777f294dee0593685d7691eb97980636b2104b9b0fc241657d7893e186cb978fc022de9c2d43320d2d19995529a1bfeeccc01c01feb36719d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
03288da05bb3e5b02bde8ac0bb98bf5a

SHA1
f76bc904c749ba756fb37321fc28f562d40f4d66

SHA256
824086c2942e9fd6bffc9458a9108ac3a824816b11e5303dc4eb8fdc06734bec

SHA512
557d4cc52745ca7357c025d0bc3cf0cf85cc2f02ecbad43e803eb6e3eb7acda1b1c6627c85ee458e9463fe15a6060b761b6835292719010137769b961798746d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
d8c0e844f7f753a491373f05e38eef92

SHA1
1a8261b058a36c766537cf604c714cce994b8e78

SHA256
fa4e244c7792738d136a31119dc18d474b42a6c9a15c7ac9b55427705a784716

SHA512
07e1c285a1b47ad5185e4b91a75aa12f9539d6019d0d5b970e7d22f1edcd73a6aaf5111a19c4d0a82f0b2026428f67060c23ff4cb86864deee5c43e2cab78f08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
e2e2738c15980ba745ef754fc52c697c

SHA1
43a6c4343372e1c3de0e087a7c044d6e3ec544ea

SHA256
acf839b9433245be36c3cb641f52ef4cdf3bb0792e6b5eacaf09f54fe83450ee

SHA512
adc6a44caa8a1ad38d78d3c6f5233bf6a205f1e21a3d96389b00388bcaec5d9ba397b4c1bb889fb019ff2a44326c08e463d4b7431991b14564d0a231d773b689

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d967379ac3f41609d959b5d718123d8d

SHA1
01f294886176b032e5eb440effa776faea2e8908

SHA256
c8c3dbaeab6660125a2eb8eff29a2d29f1dd573aa3ac7df99e8f3632a7c1fb51

SHA512
e440168a7fbe80afaf908f637847ad11f4ddbf59eb9ca73dfa339451257a6999f571b0427522a8968c19927f03318ddafde3ad85ecf929a574f6042a12c116c6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1eed12e89bf7812a8747e7f9c81ea46d

SHA1
514f50993ad992623482653ae2453aae7ede1dfd

SHA256
ebbb6f9d83559fafd781f757b52cbedea1703c6240e6ceb19424fde6ee56c27d

SHA512
8531b44f304c03dabc88436f09d244bb16edc80d23da16a3c96ef3fc3727e6a43e15436f11c3322e3204668fb982aed75d742debd232aed6fd771df241187385

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
c570f7560f94d9f718f984d714e97a8c

SHA1
db26ec6f913f5bb9215d60304a19f931e0f12aad

SHA256
108f637fe6635e6c9365fed809157e094afcbdd0186809b75f501a3b58608066

SHA512
92e68fede6d131f37bbbdf4303b0995ac35d6ee5bb168faafd9c7a9e1ad1622bb8fe9cb5339c26d4e6ebe23b3e260f2106231a64dce2cd994ce39ed3b8681d21

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9a18439ee4ca8f0cd5904c02bcdea258

SHA1
d2e66f2f3102b65824ea030bb814f06280ba8bb8

SHA256
0bdac6bfe17d982796d3f020402d483f705e810822283ee54b11e2d38522cf8d

SHA512
561f7f3aeb6c15335837369e605c1561757e661b25446a028c8bb250006bcc7f0a383a86fd12bb73fb4b5975e7eeef2110b3ef3fa533c00fe845d0b0a0f57458

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6bf1440f91287153b79898f07aad4ea8

SHA1
07e8a9c604823c55488864fc44d75224ce4a77e2

SHA256
1a6708e93b2a4ae5e930da55dff6c7f47bae77fdc562cc8f4edbfc81b195a1b9

SHA512
adcf172171be1826783789a3ee963f929aaa8ce9ea3afb015fd547b95e20e7493642195f71f44adf8c9807b7118b97dafe19e0eb7c21a1780f0e1f8369c7e003

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
f56d1e935a367df7e8d6fa7454e3b642

SHA1
8cf84dadd24a075f25625ebd8ada56e413578674

SHA256
8f9764c6979070d0b481ecbc7b64f27d20912d1d5c98eadba6bf8d75c657b76e

SHA512
3f27dae579b815d5d1039628c573072dc165ddef588824ad824ddd38d6fa32f20c31e84d341d38838003c94d23dd49cb0c9d5407e59b71506549cde8653015bb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
04c3adcad2d40ee354074e7d566ffed5

SHA1
ed964c14d33157212604c2ca38c6116244548779

SHA256
3218d2c74b9cc86602854cfb212d80f33677d9e5f8a8592c836c91faf79bdd5a

SHA512
612d4ef061a0d0fcba047d6a96035dffdb19f3af69c8749da1ccbad477be39d1489f24696e3519633f352dfe0eb8c4bde3b44d7c53ba3610366a58d7ba2680a2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9c9fda772c092ada0970a0c0fb8e73c7

SHA1
ffedd1b0652709d06c19e1cccc1490fb2048dc41

SHA256
41b2d276d91ebd214d23b4cad0189cd956a6b36a862fb12d321a5a150ec0449e

SHA512
ee445fd9374f8a159d5cff925fb7409927934c4980b8d58831ccb6615e9b7b1b6c2acb7ed3116f4c4a4609e37ad784fa3776da156eaceb65a7ce67eed1dc41d5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3f93b12d5f246ed8a289610aca547afb

SHA1
46a9b0c0af9ac144340513ef3f008eaf556166f9

SHA256
cd3610be40eed7ca1c35383777c13ee70a09aa87040f3b96144a89f4e3102a64

SHA512
d69945ead1d24fb376e8f2d95cd7d35edb20295df0cc4c326f057db1587c19511e47a91705cfccc72cef4f9e06a77fd37acb14abce97d832d97ce229cdbaeca8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
0a8b41c1e58fc2bbcb7be8a08960433e

SHA1
d2ed82bc35c3ffe0ada2308ba345c74596ea9862

SHA256
1ec92bc7fca0b421919cb32d1135aac2a21c8c17544bf345daa487d654520be9

SHA512
ae86cc57a1f850403fbf912f530a0ffcae150db07c88185eff94fb169adc3e8909253df0b8e77dbe0ec73ac26a14ad5819bafeb71f2faf18d9f6164aa1f12b3e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
49187d033386b3ad6be92e12b3295a39

SHA1
0d5115993c9d95978405cb67322136486e3a3892

SHA256
db0b0e251cc493d6d1329bb7f1d256af6c5addd4da60a7315c072df5d26a5a14

SHA512
af4779e957c8fc1285c47d39dd6f689f9242f195cbe481cd48b109ea7972c9ccf49dbe954e19f5d1caff0a9f339bdcc2113218bff4cf9d72cd174ced950b0d02

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7b93503ebd8de355096fe0089563b44d

SHA1
c526c9017c7ebe37df51b263141dfcaab070e355

SHA256
d05da11a152aae831b1e01eac0681a7043c31174cbc8cb5c328b4cf82873ec6c

SHA512
c7986815691c761bc4407f30c580f7998304cac89299da31384bcbb1fca1110c06f09288f49fdb62b2dc7218c3059db4d327cc811c4bac6f2bc0dc762ff6eb25

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8d877b56ea28f01796c89b7ca3e9c502

SHA1
eed078b9d2fa191987b77300a24b200f85a4b91f

SHA256
79971f455a42676963f9c3141cf22f09797e009d1d69b51a0f411b1bc2450917

SHA512
98fc9fe454b79cbd0b0dfd64497d7175f63f1cbeab0ecd16041836d8486de643f7adb1a28d84c823e75ac8aebc8da2dd3cadb07c93d5034a45354d9faa30cb3c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
1f428fd2ae0778ef98659a70d6ab4f5a

SHA1
7dc811e14d09f1e68c7c386b47cda882febcab18

SHA256
eb1761f546972003d9084e5f2c7b367cf49af561cc4dc3d2bfad0309e046c5b0

SHA512
86c5e8e59d13e757602688f7f67ae6211367e040dd2a110ebdbc593398554e445f63a3e13ec4307e5913855ec26fdc606407f45a576b69d1790f978419608c72

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
409cbb844e6f0a410e1c2c418d534d3b

SHA1
80eb6f8c1b2e9b946e092cc161d4d755b4bfc3d3

SHA256
1b0c3979484cb1c33d600587b111fa8d240f1c482f1b75df289e51551a8b222d

SHA512
ef802f681bd18e5a90e24992352584ea40468d29cdab504cb041f1a9ca7dbd9035d8111d4ccde8ac85a5c60d54178cadb4d081c7dbf808e83bd5a80aeddb7214

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
b3bcd3a502de807fd5b7a63e14358733

SHA1
e4af579b6eb7f39a692a6dfe1a67603b7813d44d

SHA256
4621573feed6a18183ce421c73826eae6450f0e3ffdc46b8164744f2f73ea84e

SHA512
dce7d80fde07e9fe5f05e1e38296d17103cd37a99840bb5723eebbebd6775c0b9197473444a61e8f3148b562a7fadf9b135f66967213da5b96ad6d6f883ea0dd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
638789793b39b52b59502300650b3bd9

SHA1
d1ba07632d048bffa45ac6255ba3d7cc7415ef13

SHA256
4f8f2b971b10688a7069709abef3d8b62a93ff3febaf594389d44725f2dbf802

SHA512
f75c61dc48f6c22cd6e5b09cda29dc1402955e713487032e8f63ee2dee5698cfb1a76d102042c9cedf6a696a8e6ebfae4fad8a6e2e98578a581063c29984c475

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
04a854f39a87c4ee1559927c96488a28

SHA1
28c84b53aca8d4b17f3b723e17de7bcb4210c655

SHA256
8e53ce1ff370abfbfb70c3fcfdd8df95ebb5e08764988f9d6ae6e9597bc4dee2

SHA512
507f2534edd0a1e67ac8b9000dc62e00c9c98b25bd470787129d92646ba5f5a13341d47a28893ac6646556fb36c09b9063a6747ff6ea88fc7fd184fa3fa8a86b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bd00f4c29b1c79827146d90b38641bd7

SHA1
d360b9d1122c1bce1b751773615e2bda9321e63c

SHA256
f34c079a9f5189ccf64fa9aa02317ac97b67a1653afb45ccb03f41b60cf15f2e

SHA512
ac8102b420f82942b75345abdcae05a13bd53a96d6d9f607a3a6405f2d61d4abae2b7740fff64dcfd505f7171e6f9e2c617e710341b0d5218627d056e302b28d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
f0663f585814ed2b8e94f0468a2e4bdb

SHA1
82f54b1081e61e6c892234604f20551a042d763c

SHA256
5011a63abe22d145ab7ddfce3dc966c67cea4be1fc9d15a68fc283ab509f0864

SHA512
5185ef57870e73f3b9aa82c83b9868441a8c9ff4af6ab61ecb34c68212f0b8c85101d614e19a3939469c92c8d6c14081c75dd91bbd722d283724544742921641

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9061b9910bdac3f34c3c3e15f7ad80be

SHA1
930b2e7ac347f92b7f45722e44e2953c9b6d524d

SHA256
b5071b862cbc2dd3dcc1342dabb6f62ea4e272b0141937fe52f4204875d7e577

SHA512
09f668de98066f1db0e1ff5417e8f8ad5c50ae54dba65fca63277c487fde7e18760957f7107305ef53f61465feaa17491d4bae7a591da703cafb0d5b8a5ed500

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
47a0e5934af5228a559418d9b2137007

SHA1
6dce7bda8e559f2bbc0fb1859cc1a9d70dffe6ca

SHA256
aaac426e6f77b912d8d6239295748b126c91adc20121ed10892d0b60b1b2e504

SHA512
76700915c170ba38d42753cef9dfb63097a50e58d54e3f38480c84cc1a155b0240092e1c1bdff996f25d9ff4a6e0b760689049e1288332f7040bcedb732a84ed

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
3edd3289c2f92d82db9e7769316a9fa7

SHA1
119c54c419f75201b20eae903d33cad0b0b95a47

SHA256
a23bc77fe3a17a49ad83de5c68d94f405e217fd8fe49f2e545e01ebe410d0b22

SHA512
10344a49014e0f3c2bfaefe641a1c372b985c9c0580958b445bc48938a31306f631a7a4ba447e7dfc7556c2837cf648d90b042bb53129d9d8614b72fc8736095

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0c939d5ce597bf55f7cbac73cdacbd97

SHA1
305f492d290a5d04db51006f05661f4151af6499

SHA256
39659f83126140a7175e04f5743694dc01fe66a9084fd695d8e38954e287bf7d

SHA512
cb53dc436b1b8135ff88ef4f9e887d0c6a0e2b2ec7d6044a2d3d89fc04911067b79ed781edf393f4f26eb2617d31b47ea31735d059e241a6633425b1af328d79

Download Submit
memory/776-5-0x0000000003C60000-0x0000000003CC6000-memory.dmp

Filesize
408KB

Download
memory/776-153-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/776-0-0x0000000003C60000-0x0000000003CC6000-memory.dmp

Filesize
408KB

Download
memory/776-18-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1004-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1004-308-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1004-30-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1608-207-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1744-79-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1744-77-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1744-67-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/1744-303-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1744-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3116-186-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3116-50-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3116-44-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/3116-567-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3188-205-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3528-189-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3636-192-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3736-34-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3736-40-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3736-53-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3736-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4024-309-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4040-565-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4040-16-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4040-10-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4040-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4072-305-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4072-568-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4116-569-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4116-306-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4504-463-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4504-202-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4616-190-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4624-185-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4624-57-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4624-566-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4624-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4704-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4708-203-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4748-311-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4796-191-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4960-81-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4960-187-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/5088-204-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download