risepro | 5f7353e35fbc4c21f022693339c1d9f695472ae28460464fbe2892ff8221eb88

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
Size

4.3MB
MD5

79527ada2268a9f517373d4ce0465bfd
SHA1

52f00b743ef8ebca2214f1025e92dfee9881dd4c
SHA256

5f7353e35fbc4c21f022693339c1d9f695472ae28460464fbe2892ff8221eb88
SHA512

a9d42b0fe48dbfbc13e1cc714e9a5757ef48b22d549ab3bb1dd87262b3556c1310c6d7ffd5e6c9bdf74288e98d2a542bca9b7b376f81ba5d35b858d50017b6de
SSDEEP

49152:zaRGf+GDHxuC1vKjxa1CPsFRuX35gZKUxT21HHF6c9OtutTjI/uj1tObh95O:zaAXHxuC1SjE17FRCgDx21iOUv4

Score

10^/10

risepro discovery spyware stealer

Malware Config

Signatures

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro

Executes dropped EXE 22 IoCs

pid	Process
4540	alg.exe
652	DiagnosticsHub.StandardCollector.Service.exe
1416	fxssvc.exe
4644	elevation_service.exe
1796	elevation_service.exe
3744	maintenanceservice.exe
1116	msdtc.exe
3648	OSE.EXE
4104	PerceptionSimulationService.exe
1596	perfhost.exe
2836	locator.exe
4036	SensorDataService.exe
2116	snmptrap.exe
2128	spectrum.exe
1716	ssh-agent.exe
1776	TieringEngineService.exe
3276	AgentService.exe
908	vds.exe
2236	vssvc.exe
4536	wbengine.exe
2248	WmiApSrv.exe
5052	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4cce366fb3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe7a75fa8ac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f73c9cfc8ac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b986da018bc5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f2f279f58ac5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea4d09fb8ac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba112dfb8ac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d94d1a008bc5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003beb60f98ac5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
Token: SeAuditPrivilege	1416	fxssvc.exe
Token: SeRestorePrivilege	1776	TieringEngineService.exe
Token: SeManageVolumePrivilege	1776	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3276	AgentService.exe
Token: SeBackupPrivilege	2236	vssvc.exe
Token: SeRestorePrivilege	2236	vssvc.exe
Token: SeAuditPrivilege	2236	vssvc.exe
Token: SeBackupPrivilege	4536	wbengine.exe
Token: SeRestorePrivilege	4536	wbengine.exe
Token: SeSecurityPrivilege	4536	wbengine.exe
Token: 33	5052	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5052	SearchIndexer.exe
Token: SeDebugPrivilege	4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
Token: SeDebugPrivilege	4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
Token: SeDebugPrivilege	4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
Token: SeDebugPrivilege	4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
Token: SeDebugPrivilege	4596	2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
Token: SeDebugPrivilege	4540	alg.exe
Token: SeDebugPrivilege	4540	alg.exe
Token: SeDebugPrivilege	4540	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1948	5052	SearchIndexer.exe	115
PID 5052 wrote to memory of 1948	5052	SearchIndexer.exe	115
PID 5052 wrote to memory of 4236	5052	SearchIndexer.exe	116
PID 5052 wrote to memory of 4236	5052	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-23_79527ada2268a9f517373d4ce0465bfd_magniber_revil.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1180

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1796

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4036

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2128

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3764

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1948
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
3e3a4ace77345511c5c3eba82debba86

SHA1
2947acad0643e7549e4a8180366e15cae81bf697

SHA256
71612fd680db9d4f186279ec35277337690f8183e6029f37400b61d5cea16f36

SHA512
ce1bfef0259adf63b37a8af4df7b1d210bd339a6e06a31da700a469e69b3968c427b65a08641fd086917857d8ba9bddc0328eb62eb2a5ccca9dad78d0da32a64

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
75a00b6cf8548a9609d31be1c4fdc2f6

SHA1
8258e9962630c8a1741fec205cf974b0e6528fd9

SHA256
e9192bab05dc79cee3579de2abee0edb0868f797efc63a9a59deb295907e212d

SHA512
1daf3b72921b9777da24bb2083fe6a309d96ac59dbaf1c9def5a7498e6e0e3dc9df437dc799d1887dcc1c4c163cc64f1df07dffe83c1746c7c6810ad3fb620c0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1baa790cce2d72400f8c15d32abe5a41

SHA1
0ac5ac01c0e3c52a0b7c9cb04664a3e34f2fb4a0

SHA256
ab228a3097de723d8a0bfc5f07cc08e074af70c947be7424c48da2ee1e8d11d4

SHA512
f9c482ae8177f57bbfa25a05393fde0391a1de386b58f5f4a2475ae9c27b09e6205c8999da192217266250d3467dee4aab225672ff6d14bd5332030bff7d24be

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9139a384ef829731bfd6168794af179b

SHA1
2bad711db88fa4d5bfa8f4e43e23826e6fe44198

SHA256
3d2a6f85ac507e05c88f9e8afec4dba6050b9a245a61894e07501dc5b3f79e33

SHA512
95026f130558e2dceaec6ca09573a6f056dd14fe876a2baaa6edc40f4e86161e4ce269b5d8227e054737be1cf5e5554c964c7c1a97d03a690e9ec5e765b6876b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ae797bbfcf59e20e2036afcd0dd29892

SHA1
c0bb63ac7776d039f63f9c6e0a63996f9ef6440a

SHA256
ef3664518d81dc0ad583e2a273dc40d4b396aed486b0026d41cd794f05131579

SHA512
c1d4b28e2f3e74397ba7854cf5b647532d91638832bcf378701abf6f8052cad93ae0799a99cfefba62e9cea2226becb8b104014d7a29feed7c531a7c1a21545b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4626fe2a061c135452884964fc2b3802

SHA1
b5f964e0cca4e072de9a35eaba5d2139a43e45f7

SHA256
4c44dbcd7f3a51e706424d75e1a414ee29a9d5c9767551f496decc3b862a7216

SHA512
85ba3fa0e088fbbabcb79fd376be230f596687b82bd736e8244e935229854a7c370adcb936dbcb9c8031d7879a2d0896783ea61060d6b97a188649fb7f7864e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3d78111286c00d3622f2a7e877e11f10

SHA1
ff80386f8a24c503fef47cacb292dd2f2894afec

SHA256
d122e5801ff1ff28fca5d815ef099990118ae943ebbbba7395574a6eb366e067

SHA512
4e56e9065b276b54b9af3a5e62f4232e57921e867f4a9ee52166b03af34a30070064b1579477e85393f94e3401541ca41beecf0a7dcec27d7e4a9374350d7703

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
52354beb9d5360f3ab6a48d59635ba97

SHA1
811a29ee242ef00adfdd7a4cb1f79a5236a68da3

SHA256
3a5d004b18e6911c94da3e7a2e4de3a3b78fa0a67a0fcb8bcd53afe69c1614d9

SHA512
bd6178860c02b7662f0066a9c8eceeb9ed464e63f4ab94ffeb2b1840ea43331aa1decf8cb655451391db6568a040ec89453022aef70791bc9a3a30f2ac4fca94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
08fda841ce1dfb26b19b4518da896193

SHA1
73688735198b5d14bb4d73f8bae56b4bd3d598f5

SHA256
334a2046c2b999f72a52fd102a30b88218748df7a12879d3c793ed73b5f07b55

SHA512
d2e24382d204c01c8ac0dfc75633d5097c0e85bd64f148b00e895ea11d8dfd8b8d72f14aa4b7e816bd56ec834da71c85d7949d2a0e51e6dbebd12b78106bd06c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7334c86e52114bd6bc3f2d03fb55a6bb

SHA1
c7317f2e1d70d00fd04ac8fd75d42befd014773c

SHA256
c7a1ab249b33d9fcc11c91bd802a4e047628c116e3b02976e15020483885f172

SHA512
932c2c4cee4a6db6379cde2ceaa5aeddb9e8f6cccde358afed6ab7bc348c2575117620516fda73498d3b1d33c83c5e732b4313cc122992b3f4869ec57d068301

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
2c6c49b7f4f4193dde457f385802216b

SHA1
78da03ddb8d093e967223f76bfa5ba7362533fd0

SHA256
b8a393cc0007ffb91d5446cb8703c39da5213e3b6a24482de9a125d056538f28

SHA512
2895d0d200e2a075feb04b9b978a4c1bd58b85ecde3e671de73b127ceb7501b886534b4e6778597b9afebaf98b42466ed3e413f0d84d562f658848fec72506db

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cc64c9b6c95ecb64c6a4ea08d2cbf8d8

SHA1
d785161228ac4ccf8a037896a58680cd89e82741

SHA256
3d6dee2009ad13b1104b1dfabc0cda6c29ecc5827bd9a3f932d44b3e65ecff45

SHA512
778da3225487cea045f69196f6503e80e7dce5e2b7aa00f4b28f9655bb901f9a339cbc0cc71bdef3f89c6ee98136ac4bab60c95fef75b79ec94b6145d181f03e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ad298d5a4f4e96165dcf99491a6426df

SHA1
961e7cdc70200d2e11906535679d2f6fd17cbeab

SHA256
fcfb248622a28052178f364fe586dc1f9df8c6357db174c5308eeddb8868163e

SHA512
8acb392ed817d37f1e7f4a58eb38e38cc2e43b93fd05ab84ce9de35293faf2029bf3fc0e01e71e17e21cf30213db9019c523e5aca62d2514c6be2eaf1524f690

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
2d9967d05515d70d58bc05cfa8db694f

SHA1
a353fd759539aa00079913b28895ff047a1d3db8

SHA256
0e648d6c87e92666e3fb6b0331148c8eb73da2ed49b1e5006df863826b37a397

SHA512
ab69daf20c20b3ebccd9fb50344406c3583c17b49f90d930137a7c60baec5745a88a8bc3012245bd58e819033b91a568ee0dc7bc02b1553b02af712413b539fd

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
bf923dbac0579e2ab21093b8137dc2ef

SHA1
573f69dc1034b7e3ca508e61dec908c434641394

SHA256
4d4bbb6ca207427fa2b546486ca56dd3d48cfdb6e18af78241ef4ac72356b8e9

SHA512
a803ac2d9ae376178babbb356d9159aa4da207f24989eddbf7099c344d4ab7a0c0e6e6cf1452633b9533706dc45f3847476e9e59ae7d03d5b74c416c270c5fcb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7af2804fe63d798e76dfe6db4ef5f039

SHA1
821cf1e764475a33af6c30113732309ea011e0b6

SHA256
653914ed59cc06b527bb14845b2e7692298e7513f1664eae30fcf5831c6f17e8

SHA512
c541fd8a0aa3693c0d0e7719d8e0344fa79b4a648d5dee4c9158fb1fca905901805371f4409c3243f78bd9796e1af061715cc8c0950f29675853d6af7ea9a17f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
33af7f4f8686e516950a46e6b36c250f

SHA1
db081133e26b004e46c95032c23dd671ce53d5c4

SHA256
0af475259ccdf4fc65105d8d6ea47d8554f44fdfb7f40ec6bdc5621b6a3ee561

SHA512
dc270d0fcd67e1c35c0cd872df17ac7512b92a7df7c50fb818a4b2799834c523564a0e1b11525f004ab804262fa75f7b7c4bd910e09c2506c495be8254ccf7f3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
1b1d559c2b778c1d5adbc8b23c1ad46e

SHA1
2c83b7798345ded7017da12adf2449165681c9f4

SHA256
0af9d8c9e6892917f9972505802edb5ecf1e56a865d0920aa70ef0dee95ca1c3

SHA512
e5964b05ecb28020d8c462443b0af8d5089b1fa2a8f1de6433d5712da99b80a9976e869e3d46d3e6d4011efe0bca1f3f15748028a399aabd4df4366cd49170d6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
20a73ca0b74683ee2f9b2a31573d6538

SHA1
a24e56904ed4c771640b578afcc8460868390929

SHA256
6fa105ef7cbb83d61fa285c284bafcca15da30f6d7aff6dccda52150357016bb

SHA512
3af369c5f3085a732d511d7e9690843d81a521dade9df58d010f6129c9d234bf2c816965f1ac422e7f4d90c425182ccdaa0b0be77ace86935c7c7d60bd3875c3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
3147e0aec83006ee3e2a1c86f43e3ba6

SHA1
bab2dd99d2e7094ea8ac069c424e96bdeee69cd6

SHA256
65458fdbea18a5b34c4c40c16ae0c3d3414c1767be699f824b9074aab6c1c5c5

SHA512
987446ab97a5c91ea8ea6e5716c516925348293b43317a3493d267148561a9ddcf815b4e8e9c6496cea7ee34ae0832f866ab279b9746447715ddf200e388ee03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6312421cf25d4c58f949e14cc243f2ff

SHA1
dd89e0ef421a555bd6e4beefdb98484fccae9fd6

SHA256
2ebcd645fc4592f78e51a65e3a4b83afd74b58a1d30059b91ca2cb9dff495512

SHA512
1cc7e1ad7024e74a73e8c409d128a52af8589077b93591954b43bc970ebcb717cb5ce4a3b27bc85ba61c2bde1ca17b3911c8d6cbe542a45c5e144ec33eae9b6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5bb2d2872ee53be71ddcc3e9f9c6d84d

SHA1
35d8eb64aeae70244c2497448d59c9ba1dfed026

SHA256
a1cbfc07258e0839e0b1381640c0bacc42b3b8b09c9076919895194092bb844b

SHA512
b27dcc7dde38c891e98e7700f5152bacec6dd5ca8a71d2385a9b9aebe21c43dbefb92eab2b7b8c622bfdcc0d2c52bf6a8007d27b9301c104be3ef13447a0945f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
35dbf72083135c8f8210b8d1dd4adaac

SHA1
0790e9a7cd939d4b9e15c95f3ed7513ec5f12812

SHA256
30d8ead4368f032826b5f92369decddb7d30b935f5f182de76c5859cdd54b20b

SHA512
2e60b43432197175ee0bdb5fabbd974493338a93e0f945488bcf196f0a067f73b457af8cfe9e53f93c7c9378eff8a446d0421b94af292677c2bad6fdd27511ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b98d0318a8ece557bfdde020611599c4

SHA1
e5d7ab6493147838664a19417c0e4739d5a72463

SHA256
b3bcdae16e00b6334011b3e6f009b77e91479f5b04b5c55b2f3f4397015f5745

SHA512
a8db022a3ca7404d099b94fedd28f5239096345cff0a81c57b7bb3a44404d757c6180033b4d7f2f73d22a6badbb4fea2d58a86ab878d88e559b7eb1a59ba828d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c663312e73a6e77e79e876043c25865e

SHA1
44129bdb961bec85302c753bf448a8ec66049a5f

SHA256
bacd10feea67d833c09b452a2412875d28663eb29a507084a0055f3d62a01570

SHA512
431d560435b152525bc4ed2bb8315604f6ac5755a6d4a752576872ff5241baab6688f19bd99a1c20648aa7d01a92b791acfc3a3c79e4724f0893cbe91a6092be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
4b7245139bdaa3965f26af78189b77ba

SHA1
43569c817c53e5617562ae7da8120a49aeb2cf32

SHA256
5ee605c6e90aa6a50ce9092e172b369fc413db1f3544f8bb609a2c80fea8ba0e

SHA512
fc6f6e7af8becbf2726e2d7db89142b66dadd58d30edbf6212b12240790f5c85bf069ad12549b9392047061b2e59d3166901b3687f6ceec1a5f5b7e57f3c8118

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
19e3e5b767975a86a8f453702c3b49e4

SHA1
0292819cc4a8dbed549fab1a1afe49014f1cba20

SHA256
0062ace0cf1426f1d9ccfef267c3dfaa3fcf4ae562a0d86dd395cdeb3013048f

SHA512
81a63e781ca6514da0df96369be30cad8784eb97435a2f67aafb7c3df4c4ba1c11a1978286bd7aba2099af0e29492ede4b6ab3ad56b8b372e08280b52706ff8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
98fc5a1023527f37a90ddf42c4111b9d

SHA1
e70f1348158353609901a33e1cba921cde932732

SHA256
ef49700b0649cdc72c0f00f4bde620df5db27a227fbf02e32567c3917989ce79

SHA512
ce89df19d43c08ac8b5222860dca81e314681340e77f76876f580ecac65084e9426662654a80dde1953cd9c6b43c12301ef6e0c5525341c5d0898554f9fcadd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
35efb2dd7412de888891373f2c20d47b

SHA1
7cbba19c1067ffa4c8978c97aa0504601a3108bd

SHA256
97b8dca6f06827e11f1d516987acc5d1d26bb2e2a00d047e130830fe73fd9c07

SHA512
3dc62aa2577a9fb39682ce629d39e25c1ff581ec92f3bf9c6a884df93d1d5d4d2acb20e528532d8c1c4dad8f4f386cb073edb30ecac4a1f0f16c6f6d659f9b39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
52311f10f492ffee0a2c91b4239a407f

SHA1
452cd0bb5dae4cb3ef19f39613617b9dba18c191

SHA256
87051f02ca2395b268a850da8c0b21880db14c402ddb87a92aabbbce6cf38305

SHA512
1332d1d8c2e494f96f650d67dcb68664b5f1d732ee5f23cc7419d2bb5f22604bfcea40f586c428fcf9ec49f8689fc5f9fc23608eb080026ac4d0e44d1a30d96c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
7687de01692528613d5618e8f8508c28

SHA1
018e159198042ecc22ddb472a5db7efe186a962c

SHA256
294bc43fedcc97248bc42adbe3a8d068ae933881c3d0d31b66a40d6441341a45

SHA512
4455513010af95d46170270f506edf9d38d07f6dbcd85edc58044d13e44cf72f767ae488e2cbae20bcf31c1b543df873524c32e3586afa623717ec924ddf0398

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ad8ffb804888353aefa5f3a8e51d2032

SHA1
bac33b1d4ce138b7c46456b6838de8ebcdd90d4f

SHA256
b9adcf42dc199db0763174a83574b5250e51dd3de48450a51f8a45c85252b957

SHA512
4e17f96d8b07bfcd77830950a4ff5712f644e79e58d5aec6d0ef2eaab7168c507b54fd12887ddd76e05c7e04af379b11f3ef422e841de682ab434746fc0e21b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f5a7a71e8b2ab2f4c1efc778f644ca4f

SHA1
ffe43370c2f7258b98643dbb3d49387493bab816

SHA256
b1ccb1ab61f7399c399a61743d1450a4641c794f03f17b65a9d0806e77844fb8

SHA512
bbb527dfe1a75306f9a63ea37110db91c57d2941a6f91aa7c54ffc5502d33d824819c804b6881bd80af1e0c5c653a3cb839e1146a338a53141e849f5f228fc50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
a2dad7cd4863e3005ce8515f6228f7d8

SHA1
2213942ca73a60e8fbec710ecda30b64a0f619e2

SHA256
40659cb043c0b81189982e78838ff4d391ebff7ad9276970661cc09bfdec5c1d

SHA512
b3b5ded956286382a2ad570358c15391f0dc5a8eaf639090649d20b0d3ce7af46817e0363f2f59a2402725842f3273166e3e5a838583c4fca93cca5717f9bfe2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
3fe679156a5fa8b1b25582e38dd525e8

SHA1
09eefbfae2a2ced9d3e5df330c0e941badcde749

SHA256
d69643edb30fcb11f65381c6b8998519ca2892bb59d9b4335b6ce3189da95f02

SHA512
c88f644e651cce89b32014e421ce079041e54084c6aaa9f9dc50134d31073146b401049f89355c4199db2e0181665dabca8764743901d7a1beb4eb9a5520a4b7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
953e03e92d732c2584b9c42e0bf29a54

SHA1
a5926ae85b74322be8ff7719e01b75733bffe936

SHA256
8c8ace90614275c9ab03a3ba6e3328599f95fc0f0ebabf716a7983bf24702cd8

SHA512
8b16bbdcfbeabc9711a266b66f0c11f6133402ae5db910b7d7dbb14f6068edfe0bbd1d60e1e7358c794427ed5d063b8d396318dd2138aa5b1e35214a7357e3a9

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
602f8fe69a1bd4556ef5cbb5941be7ac

SHA1
a484267173b06e1242eb80abf1618b41cab51167

SHA256
ea58947e8e05b8890413c45b8ff20bff776e638b49af281696be39540718f030

SHA512
8e53308b97bc3db2a745f652038dece5a585d49d5ce47ff19cd89449c603b965dda8afa3e538cbb03a11aba84a57d14201738f29968a17e98759bac82da44f5d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e074d5e74b2840dde3e13424afd0f159

SHA1
282e30d9984784c9a2bb86026e3e2361aeeb8545

SHA256
258e6d0042f78e4a1cfbda004697f9b921154a5d69a474935fa2175a0b7a584e

SHA512
f348ccafa2ff033580881192062dc6ee49d9fe41ffaf164c5b2b0dac133507e5037487d28af9cde807bd0b91200bc9cc869155806325c84f98b96d597cc4aeb6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a6691cb3f944e12ad24d557dcfa1e6db

SHA1
451fa13c915f55ae20fafe10b079e11633e86c7b

SHA256
8273293d3d72526a5d9a93ca9b2bbb62dbcb7892fe4cb14a44a6b2c794556a32

SHA512
75e8fecd885d309504d4d39c572fa66d820f031d6a29db8a073d86a268ccce561a0f1a59a21e78fa04399a2172d8c48629195c196281aceb32cc160677e34ce2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
f119f5ff96b795bbc7dbd2668576012d

SHA1
1ab511c1ff95cf25cf96cfd2e63e32f393e58e66

SHA256
0a37691bc4ad731c332308ecc18d8a7e5198a539c1ade041c15e7768604f1eaf

SHA512
80de35ad0997f589eebdb204cfe25588423cc7a7510cf4b78e0ee55a9e2004b9f84c43ba4eb90b26343dfc4ac3faa7ba5d874784003b23d1ea61c778bbc964da

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a465b29959cd9ef8f59572aad8c3e567

SHA1
f866faa1b7be14c3f872e11cd7fff64ab99b9f13

SHA256
330df4b480dfd294d970f067f7867db9790111ca051afff37e6d1d06fb61004d

SHA512
d715889788448adfd5916f74d78f1907a87b9e4a5c4513139f6c1835146157f25818c44ecd48e24dde9fc65bc14dcad35a0030c1373270569c4bf5efbc0d0df1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3796b3735bdf1e697916642b061c964f

SHA1
38793d703eabdc798961dad394a68289917ba314

SHA256
b32d11503a4f96ed1ff673ecffa925160c958e6ec833081836efaa4b7abc698f

SHA512
8b3ae4d46621fa2858bf5e79dbca43307d2fbb2a2bb85533412f0f30d0206c6286b157e025f0b681a8b3843bbb82e398c6c0a6561c15f9137e7dbdb6b02cddcd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3851fcc694163168c5c15f16a9364da9

SHA1
70cb3251e2091ad9132b6a9cd64e98efdf4908f6

SHA256
ed2d7d0c13f81aa72bcd54166498a145f7e7e97fc70ebbf40a6f859099333e86

SHA512
7040fafa5f5bdeb3fe109e775fd016b01ad4e9a399e7eb1c87800eb732110c5cfbb99f9f3166d5fd5fb0c45285d3233f900ce96034fd580df5fe9a7fd9c1d276

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
63b2833db60d4a6e2acd5eaffad83deb

SHA1
cbc54949066fbb50708f253e57b1d0080daaf234

SHA256
aba4b8b3f203c56f1b35f063fcc67fd6ade82ad5bb355f778551e5a275ff813c

SHA512
046ce09ad2e2b9012222d6253ddac037c2f1ada14215831d33c96e97b0cef5177ebb519243a458f4f625306f37f67dca866fc0499d1d856c64cc746f731b631b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3e40db4a0f68976ef980cabb4df1959d

SHA1
e663b5d3363b8f0f734c1e76eb2f627e41817422

SHA256
0ac3a935ebfe8b183c74ff72c4470bf18302bb731aadbd284e9e96481b18adc6

SHA512
37d6e67a0edf9022d7295e30060cda08b1acdc3b50dde098d21f7444d7c73946c26875f2e3206c522da4a1a18787135ab16c725b3f70a2d33babdce00973a77b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b4a7d3c540efaf121795bd79306a2b5b

SHA1
26a5fcb8c78b9753073dc6d02b8110c4d4af6edd

SHA256
dfe3462cd5fdfe47803ecd539d1cbb7670b2dd101fcbd3259b6e9148b3a8c7df

SHA512
fcb35ebd4f0b4db4be62c8681cc1f1a33373dd02e4ce161ccb76aee06bf159e8304f6a6973f9bc9245d6df9d3140f30f1d18f598a4319ab3c3e803b49d58030c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b6f40a86f3dcf3ace85d699b231b35ec

SHA1
e60c1272e923ba190fd747c431d40ce211bfc627

SHA256
5e7ffbf291ab417aaa6cd4cedf9ceae7a3697471fbad7f8e2730ebf02dd9b984

SHA512
673c4222152b7cf2cd7d157210832d2db832001105c914909adf508c7bc679b6f56bf9dcb610071a614289bead8aea5b2a6c7d413223660f973c0ae4266e6da2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f97526d542545260109d6948b2ff4a43

SHA1
e208e931c6710b9400a0c813a0bb426a6ced30da

SHA256
38eab59e6fb60c9205cade5578fad389e9260b4eb25fa700b806ec91e2610bae

SHA512
d74e1f0d8b651529f841baac01835652d3a0bc8786fd21b68a1f264c5f7c55c26f85acac3d6f5d1bf22d5eddeee071679218744fdc2df5df78fad99ee7a9fd33

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
677556e28db1f5f14516fba49f0d2c6b

SHA1
d149438d1c7a5c545c8f11914dd355f12f9febad

SHA256
115d96a41ca21f03407d35f6671a352940df97cef7e3032a4581b1b805256173

SHA512
56b6c983541dd986d0c715b0b44e65a618a6b6fdbc1e65e7672bb44cee5533a8ef5853f66f0199ddf66d81688562e3ee3ba6170d1b4a2f18ea5d3b9743a8d2e9

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6af995310fd2dd794a7d84e85a96c8f1

SHA1
3c2ca781c736fc92b40adb1ff749dfe749de53af

SHA256
e17ca78d88189d42e3b6de9ff59ec1d44cc1d70a30137ecc0cc2f408e902dcbc

SHA512
669b7da3e1a677b2ff301d756b5b5c70ce23dde759b2cdb4aeb3733902e11d113a6468b5e30ee2141448c6b8b4554203a3173435d697012f121dd3cefff97584

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
b2117f345fd16eae21e649526187f616

SHA1
1ff28d0743744f8e44b0c4b76baa8840d2476ed3

SHA256
71ee7df2a516cbc8c6bb0c8c7a0e1feab50ccfdf1779027d1c41103daf08267b

SHA512
6bc4dab2a39026338b7008b0b5e56da049b34e53e0725230e3f74169505da95475333113e841ea5324a3aa8979eceb14ab2b9e44d26e7a5ecdba9efc38941030

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
aa78643c679ea2549762285eb2b1c916

SHA1
08e2f63324f85d07ef881906723170bf37fee502

SHA256
146ee546e3babeb8fb97a0168c54893f67bdd844fceef1baff2152e97743109a

SHA512
c44295c008b8de006a9f725d35816b396cd7166e0f09b4ffd43991a9b0eb335ec86bbcc2b6d58b2afb42cd030c9987bad3a3c57ca4037200c7120e6a1269f4d9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5875d682d4edfa86920c2ac126d5ee35

SHA1
7472b7f8adbda127e6a5b6b674fb108fbd0b6d23

SHA256
d09f4434745dc77288f62b5a609577242cad2e81da60832e3867bc4f85600760

SHA512
7b27d916199cbc84192c85380d72b6c402e69a527f2977e9ebe48618fa29da0b35935fdd16001d90d42547a7cb09c75de90d9fce09afb3e932274478cad7c456

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bd26f89db521dced0c56b5349fe7dafc

SHA1
d7516e0d30600368e350f81c06cbcb14faaa80db

SHA256
26187b00f5ba7e6033f9afb30bed814e0ef1a6a82bb087b333639812f745e442

SHA512
24a8dc0a4ca53b0e1686fcd684046bf5bbed67933730e64d0ba1a9fa27c9ee4a185fb03d768a72b3f74c94c1f85e6575ec49b4662f9a95bc49c9ce65176ef52c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
44573d0a496d7ed2ca9f7575db1d32ce

SHA1
dc7c4cc7e09812479351d2309abb98d0ed22698a

SHA256
2c68adffb56777d0047ad0a1ab2281bea97e3b57d29dc10efa8d3ce6bf3ddce7

SHA512
823347e326cf8d6aafebf1c5a0cac02ad49dcbc34234a74d94e9563b655dd168fd8b9752b93218af5f1c617a2df3c86e9be31f7a00eb8d94918a5eb14768fc7f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6ebaf31d3880bf0283fce67f6b109f9d

SHA1
556a5f8fa3e29e6e0b3bf8095954701e7ccf63b4

SHA256
1ebd95b2366ae24a612159d61b8cbd94f478d7e97ef0120cf1bad73a8881bd03

SHA512
3d2aa6e6e62d63144edb4376e16f7e70fd2839ed9e1bbec86e0c853286194e1998e674c0cec08ce45230d2ba1be9fa6b13bd9cec8d183e040b3958ef8e2b38af

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
1706357fcd8529121e2903b9849d63dd

SHA1
42f0d8a1ada1cd92210d27579de628a233e5b2d2

SHA256
3f68fc061943e220df407ea425f23666bb0bf944cddf91f57d4ab03f58cfeb95

SHA512
13004295efdd0f19cf5b61c2d307cd268990a7f46029ad4d27b41461121e30af944bbfad7976f94718996d45ac9ddb256e5eae160f0e058089aeb11e18786c08

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
db381c25f46932ba06b77700da347592

SHA1
f44bc3f146e921c4e7f8890ee1ae67605315f2b6

SHA256
cd766e8d1aa3ea1b686fdf2a711c3407ab84f24c03b58490e809befdd794aaf2

SHA512
b3c3270b316019c208d39f1bc16ff95a25ada7b04d03490417181669cb943dcd962cfe01e0fa17fe64f0cfbab8c919d405a810a7cc8b84fcf5cbc5600f40aaef

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
e2491aa444f7a7c9b2ab27e65a59a2c5

SHA1
abeff08984644f3c837a56674223a79d590d559f

SHA256
7f60786209893304e740293a26cb6b1bf60a7a065f32cdb8e4c52ce778261c92

SHA512
f6ff3907f8404e552df2a83d64ffe4a9cf28ed5343519f89fbc5012193fbe894fa491c5defe213f2fa824dba6ac211218de57f876287dc059c6ef682b66356e2

Download Submit
memory/652-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/652-32-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/652-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/908-444-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/908-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1116-207-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1116-89-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1116-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1416-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1416-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1416-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1416-47-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/1416-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1596-246-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1596-134-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1716-374-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1716-185-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1776-204-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1776-411-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1796-70-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1796-68-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1796-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1796-184-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/2116-327-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2116-168-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2128-344-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2128-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2236-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2236-459-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2248-267-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2248-489-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2836-258-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2836-145-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3276-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3276-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3648-109-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3648-228-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3744-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3744-88-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3744-82-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3744-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3744-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4036-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-330-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4104-124-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4104-234-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4536-476-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4536-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4540-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4540-123-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4540-13-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4540-21-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4596-0-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/4596-73-0x0000000000400000-0x000000000085A000-memory.dmp

Filesize
4.4MB

Download
memory/4596-7-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/4596-6-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/4596-1-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/4644-51-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4644-171-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4644-57-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4644-59-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5052-513-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5052-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download