245bdc8e1fe255beaf7a1512b44ea23898fd8aa2eb5f378e2e69557ac3fc70a7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
Size

24.3MB
MD5

b7f4601ee43a99b605d9da2281c5991f
SHA1

072c0ddf437b15e45b09e4daef9afb8a54c67025
SHA256

245bdc8e1fe255beaf7a1512b44ea23898fd8aa2eb5f378e2e69557ac3fc70a7
SHA512

ffea3532252ded5c775be94062e4665031cbcccb34b46d81bffe40dc39d3e89be8822f3b848e4681f9c68c5d4c99f1cf3e97b68e7918021524abf2f7ba69143e
SSDEEP

196608:gP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018Ju:gPboGX8a/jWWu3cI2D/cWcls1b

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1944	alg.exe
2612	DiagnosticsHub.StandardCollector.Service.exe
4744	fxssvc.exe
2368	elevation_service.exe
1948	elevation_service.exe
704	maintenanceservice.exe
2504	msdtc.exe
1480	OSE.EXE
4384	PerceptionSimulationService.exe
760	perfhost.exe
2640	locator.exe
3236	SensorDataService.exe
4612	snmptrap.exe
2036	spectrum.exe
3824	ssh-agent.exe
2604	TieringEngineService.exe
4160	AgentService.exe
548	vds.exe
3916	vssvc.exe
4568	wbengine.exe
1868	WmiApSrv.exe
3940	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\996213b64bebce60.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F22A0C79-EAB8-458E-BB67-27753F7CC7F9}\chrome_installer.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae9e2acb00cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d385b2cb00cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000120892ca00cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027fca8cb00cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c38fbaca00cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c117ecb00cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fbe83d200cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4744	fxssvc.exe
Token: SeRestorePrivilege	2604	TieringEngineService.exe
Token: SeManageVolumePrivilege	2604	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4160	AgentService.exe
Token: SeBackupPrivilege	3916	vssvc.exe
Token: SeRestorePrivilege	3916	vssvc.exe
Token: SeAuditPrivilege	3916	vssvc.exe
Token: SeBackupPrivilege	4568	wbengine.exe
Token: SeRestorePrivilege	4568	wbengine.exe
Token: SeSecurityPrivilege	4568	wbengine.exe
Token: 33	3940	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3940	SearchIndexer.exe
Token: SeDebugPrivilege	1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1512	2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1944	alg.exe
Token: SeDebugPrivilege	1944	alg.exe
Token: SeDebugPrivilege	1944	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4284	3940	SearchIndexer.exe	118
PID 3940 wrote to memory of 4284	3940	SearchIndexer.exe	118
PID 3940 wrote to memory of 4260	3940	SearchIndexer.exe	119
PID 3940 wrote to memory of 4260	3940	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_b7f4601ee43a99b605d9da2281c5991f_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:704

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1480

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3236

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2036

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:728

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1868

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4284
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2a007ce29ba5a1a5d94acd111b456498

SHA1
8d9afea435a0a8c077295cf102d2046c3a091e45

SHA256
ed66a220f2fe7e4eca5659a245e38b255363579640c9a17d40415852514651e8

SHA512
767167ae7c3ebd0acab11b6a254bea6eaf596751096f87b667c014ddbc75cb410f6312fa600024ee3566383dc0add36f6d73e8617162439be896eb1d361fbfc8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
fced0c0163d322a47b1e4627aa8caacd

SHA1
3071f36ee122fc8d0f4e42f07da59ff0030b7ffe

SHA256
c82573d2e6950b0de5f97647c8a0cfb3d02ff31be56a25c2fefe43b791d58735

SHA512
fba00d4da4afc35dc0e8e5e705cee1cd3d58a56cef075823dab7b38703ddebe446a4df534cce5a8bae6127ca4d96b67182beb403bc878096b9e6d50409ed0480

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
633e1018e5bdba471797f92820b4f5d9

SHA1
4e158948322c8fc5ba8a8d0c82e2d8e860ed6e96

SHA256
141494d24d472312d076cdbf92a0a5aede525dd1940b1023e6b26663a05b5b29

SHA512
f1bde66472387929002b93718c4a859c874f7d5333791d6e0587caaa1e68c4456c7c56d878e96897e76d9773f5c8e98db8509f0ef41ff77c651544cbfab79242

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ab8fe9f446374f12120e670c68768992

SHA1
1675a0b0c2475d9483d08d786fa82ec7e46b6aef

SHA256
a2c8ed6e59a9f79adf65a236257e635503d33f5720efaac12ae3e839a10c2f6b

SHA512
849c33dcea9edb39184a5fb9a676c8b8829f66d12db3fbe89d91c64644d96433cf703e465419cdf56168960d80f29abaa1552d137272475580e2085b89c1e656

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c548e3e950c7410ca39f916386ea92fb

SHA1
5dbc283b7547b6083e6f8775ace03c58903d8953

SHA256
a7a7dddf0013ac42cc773e0f99dac047261278a4166ff7cbffd56b157476aabd

SHA512
00c0f065cb5762554f4c371b7c4dcaeb2a4b0eac7ebe803061bc9f1bcc58f73131a906c06fd262a471777c2429466895dc92b0dfc75717d36e2cda2b317f9ee3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
46bf1a31e221f529b86a59b8b5112eac

SHA1
ef492525409144f48df95936d88ff0992a0e0fb9

SHA256
98ade5e7494180f4b6c46803e30ce2b5cfd8595aef8c2b300c810afbb60a0f49

SHA512
9a3bb4afd6c58730929cccbd10e0886bfad348468d9489da86abfb3e61353317c23d6255139faf0dc94848038ae7c83267b914886df46536f9b5f3c6c3de8ce2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
33962bf1b56aed8b5488c6bdff4c854b

SHA1
0f5c19a018d67cfbb8e77e530c4a8f191d3e7531

SHA256
1068986d8a46864fefd6de24fc4ab827a562a97b83b3e5555a20e6830259f1cc

SHA512
994a479bc4eafd518d9773f173c9fe122b275ca7ff1e9441a80773c41d71db8dd937f2681f41c0876f1037245dc833b74d399ee1229db946be5d6c8a2c031c3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c7bdbdeed972419e16e20082ec58afae

SHA1
3d1238da0793e2405047b32fdaba293370e11622

SHA256
b851decaa2b5878b55a99a42f3ed826c2526e40fb388befaa0ee4227f32f746b

SHA512
6d2f0320d36ced15ec21d76265d39945d996116482989a565db997900bfc18594ad4bf1ea1544e615abb18319ef2c1dc09e1a553900d4a146fe46009917006ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
fdba8c015ac3e86a47bea9ea0bfa2a8d

SHA1
2ca05ad316b1c23c46c491c01473294530839b77

SHA256
1add5f8a1fd60a7589cae5cea76f0ec44cfea196c0e2467137723728374a860f

SHA512
1e3c197353074de1e41d3812c76ee560958edaa3fc33e869d8899047e3c9a5c5afa14e47d48b6dfe8dfef8123449a9607b68c4040fc2b0d2b5eeec4dffd11cde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a2b75bdc4617ff7860f2fcb633b1e726

SHA1
47a1022f789f8b79831830451911683f0a78cb20

SHA256
defdd70b03a3e9a31a71780412db106d7033e67ff0af367c6488e466245fb078

SHA512
6b3f17fcdceb77152ab1307ae6414202858d4ed62b573a6acf60ed8dfb0d7f7740cb301ea51260abd4e63dc1b2ca6ce3b677970bf67d7c98a37a4c66fc8e514c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
711e53d07271f9fd4a356ac31be49fc7

SHA1
6e946d9bfd46196b0395ff2adac6e2a1a5e689ba

SHA256
9ce50d5000f153c0e81c7a209f62d4854874788b466edb7a90b571afb3684726

SHA512
b5e7590cc96cb757d209c3eae9cfd72113202e6826507850591fd7150edb55971d5936aacc0efc0df2174e48f3a1343839d1f8cbef5569204bc510f406ea3ea5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c5d1581ef52d5fab4830f7fe788c2c0f

SHA1
6fc8a7b3f7a09d545f941f3435580c9f5062ed77

SHA256
e5b518e62dcbd7ab3ba6ff3b2b7eeb47acce5439e7763e68ce9bd1dcfe23b60b

SHA512
55d0fe807aa6884271edb2485b135c17ed0041d2d51abc387f601cb848b574682d5deef0b31700c671fd3e38d703435a989eb4879b5a6d1ceb02830e70d633a4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
d46560738770d0fcf82a0527fa0d7227

SHA1
412d6652169bea46deb6f464aa03ab70aeb80962

SHA256
29ccb520275d78739f4db7db3e28c5feaaa676422c5d503e6448c171f8a85c3c

SHA512
0cd9ce1fcd863a14b3cf53932e9e8fcbd7acb63727cc7c3a4add899aad5baf5ad65bee7063ee05308cda3859576539d650a1194932de94a2e2b7356c605dc998

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
f10c05066533a12e517b5b6345832906

SHA1
cab7c174a842fb4424d1d7096c37a7e0149c8a7f

SHA256
6218ced68a1d8d412e2adff134175af76009de8f99fd89d74062b8e671461170

SHA512
2bd13c4700489e2ed8bb08d2c21fae943d42a1500e7fd75e74a50280427f330a1116461d855838cd67fe96a109fe0fea595b33fb94625081af41493d892a62ca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
60bf46d7373d974fedb3f1157e4b2bfd

SHA1
46f1d0e11a7bb5d90ccdb31d31536d50b4c42695

SHA256
5038b3cf6fd052436d6d08403a01c176f92156642075904775e4e69c46301829

SHA512
6594b46cf40fdbdd9622423447ce7792eae7a66de9f9b3eb144048669a84c9b41a0f19497de4511a722e7eac0a2e6202a4234c575e00b0589e659d51f79d7a50

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
47e5f1c6dc0ddd3b04615c073283f320

SHA1
95fbff6e75e58683d863f103037ba3573f43b185

SHA256
500e01e149f01b4f0e808a40bbfbb17516a618f2c1be4b924146114508aade13

SHA512
1bd9199da24257ac086f423c68510e3e13c8ce8c4accab833992266f8b567f00ed92c6e94308b9ae9d3dafedbace53b2239bdb641d90cb3aee083740422d3494

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
207d7b4dac32540e2bd44adcebe02d00

SHA1
c2c8f79b62bfed5d559570f3c4fee3ad6bce550e

SHA256
9ded43e27362fea3f9a84b3aa1c2db1da5b5087a628f5240d9be4b452b7f5468

SHA512
222b67cb0830117d6468396af3959a53f51c1d0283a8be977511b838c1e58edc4a4b96f0a3de6bdd369d3e86a899407c71183bc6c4fffe69699003a34cc247d9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
1e17afd3042167ce1c145febf2588ebd

SHA1
e8ca75adf34294f54f22e37847de0bee1652d385

SHA256
2a025ed06f45286b7e16d601c65ce350dbd4d7d87dde3c9ae4858db1d49f5cf3

SHA512
f21aed3a6a87bcaf17a915a1f2277e1f6fada0d2a61802fabc884f179c952482ab5132cbb372c59a8cabbcf9467b88fe229b6ab9ad7a9c26efb000a1b06c3eae

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
87e68bf1d3b4d389b79bda8aa50cc5d3

SHA1
f660b4f1875121c52c8a7a1655e2efcde256c640

SHA256
5bf8f7af879c32c902af3734de8a37beb2c35b4fd7dad9a7fe5135191684c9c5

SHA512
24eca0e8946ff24109b8e6bcfee100e33d96e4b7eab94c423c23ef43192ad952af2cbe1c3dc0556daa8a72bee83589fbd1b0aa076fc66f7897d6b7180cb833bf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e8150c2d63d8e35185173fc28ab02b7f

SHA1
abb61c5b7ae15747500d3d204425a4aa131d755b

SHA256
405373b6b078b8b76a2a632c62b1249949bd520c238140f4eee7251f198e378b

SHA512
e04cdecff442444dd97de49a0bc86378539024305e72c926235a864f177905637d8436f1720df49b0215e7ab83e227dc64213befab5beb083c60f72430824823

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
cfe9fdf7ecde4b2ecc2fa4892e7c741e

SHA1
4f8f5b4d77e92fcb84364c8dae54abd0834d93af

SHA256
c339e05f54c70cc4579113a6f583daf3b4c88f3f14305a41299caa1195fbada2

SHA512
5b4963ad9bfa3feac3235fcfaf5812557774cb471a7b7591be286f3206cf9783bf2f6000d564c724ca1dc73f2737b78ebcd92bd1bb2778e23863d8b5d4c72874

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
291c14f2ba9741a004e2afcbc6477ee9

SHA1
f1f4ac63b80f4ed0bf3a5a0fbe83f1413682dbad

SHA256
abe586f4acc7ec89cd88b702e3664179a89348cdad24dedbbda39b002c6d8d48

SHA512
1b9f8ca12c87d5b1e81b6ac4e95be24b63906f783c98bdb9bff64165bc0ad9638ec14eec9b84d6fa70fc7df28e853f722cf6e6afc725b411480af9f717a73cbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
c4819df6bea32988a1c412b03ba3ae15

SHA1
7076dc6593fec7e7c992b052b55cca872b787160

SHA256
649ecb32b85a970dc62e8fd9e58fad860da625860bfde13d570d466dbf614245

SHA512
2dd0e13c3b7a01fb5e32cd648f4f96bee87040b944b6f8e67353e2ed6f7afcdbd7e87bb881207c7f295ac0fe806c7bfd58841700f0882cef69c75325ded6ce0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
e37dc0dd0e2637efae63241d4188df9f

SHA1
10100d087fc8b2b1b5c4f7cd8b5d1ccc27881624

SHA256
208bc36acaa672057410bb91c3b391a2cae8a676dfc08dee4489676abb473602

SHA512
c702765fe53297a398f03e45badbbdc70dccf7c75868c95aefdb62e8d559c64e228d446d5b1e3aed17054af0bfa2bfeb4c01a030ead07d0c2d1e943496d218c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
51fd2770b3b027b577adf9c5050816f4

SHA1
87fcb232b034e10f014945c7a5ac30180e17f848

SHA256
dc9e8c7dff88e92c554e208f3b51e5c804b3826f02309097ad93b4b5499251dc

SHA512
7c41b370becbb14f343dca068a3cf238acbb77e1354ba3f1b578b349c55464e2ba3978912bf81b0e9896e05257fcca94bb50ea7ef8d2c3791439e99639568cb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
bc9b12f8670384c405d03c8fc85349f5

SHA1
c6741927a23c27ddff2888a01120a00c38e0814f

SHA256
1289a04b9f970bc56e68e782779729cd2a79b1d9fa4f8ee8485f8dc6d099956e

SHA512
81ad78caf4e3a12027216f475313b95b37f87e5564907e8b56ef0a453aec4b23b965ec1b12c10333afbcf94c31c18bc2c4ff111ccee3c3d1da22437e9cfbc1cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
32f1353972980f7014e6c63a531c8138

SHA1
d2e47f7511ca2f3fcfa150d7b2d6e24824281444

SHA256
ca71e3940909c0fa28ecb00fe6ee87e731aa94f2ac5c5bcd2c76b8134bccd4cf

SHA512
8d5aede577288df1a66b287ebf4d39e218f354e7c62b2509fe228ffc9a2a534167a41710d28c65cf502221c074fc55d2ff15d2c3dc2fd0fa67ace6672ec8fcb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
742113c7f01f3bba8183969215cd01ff

SHA1
2b6f4ec20aa3328eb7adab924c7f78726b6d0df0

SHA256
555737844b34d3cbc9d12843bca406fa4b1231e6ef0a783e204e46b12bdeeae9

SHA512
3e05e2e06d3ea7651599c5945e282706e962e1f980944a92d3394ca1109a544aae08f1b9267b42007b9d98a228a89016346182ba010a1ea46c3fc33bbd9175b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
9663cfb0b752b9cc8130fc8de86c5df5

SHA1
d1361c862ccc827b6ea3e1368f1c32f6b5638573

SHA256
0f7a08900b09531785a2eacf88f4fb80fa614b1312a4be0fb44598cdd7b37076

SHA512
9c00f8ff170f74628db581b01e64673abeb9946df44161cf54eb5c1d821fb75192fbdb088e94d9233baa1d648a77554e79c7ada9d39193cec35ea48319e31ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
4ca3088cd56e28c9092c37a8a068b263

SHA1
dc2b970e6d1f73f25080b00c25bab91fa76c129d

SHA256
f28b2ebd2ca229cb7a1fc6a272eab3edba2246d1bc37d7ed6a0523a7ad43ec91

SHA512
a1e291896ab7aee810d272751209dd0af4c529d9a4ef79a38804df823831225a6e1372bf3057bdc39f509fee36c0eb34b1ee0f8ef82141e4fcf86beae4cff65e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
ec34c5854e5e62699dae65db3d7a3ac7

SHA1
48466dafbf8ff017074fb2223c0860cd1e590f38

SHA256
fda47674a360de90c89ccfed20067d2c681c5fb059e8b4024f26432e46d70873

SHA512
cad588df0678bc3b532199ebd5f506e6f44fd0a73e0429a43b98d93a14ad4e4aef7f47977638048de01ef76d08f207f4b3bdb194342bad6c0321f7f6b7207206

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
6ce46c03872573564d82f142d377e73f

SHA1
526a86ff0eaf21720d993bfed55a789852e8a28d

SHA256
4472cdffd9fe2b8b1559c557c8b438907a60782d4ecb0583e43346d278738191

SHA512
2c001127a5dc18d635f63cdbd20dc6386cdbb7c1985ae052bfea08e9ffa9e56a92d2746d9ed68ea12b75d38c7941886a014f3d38df9c967d66c9f516b90ddb6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
97b7369b8c97aa47a1d556431b3071ea

SHA1
22b0da08ff029a2b6da4a71dc2a18d639c501966

SHA256
cdd2ea3444f8dd6cdfe4661b230af488d1c7065ee768d4a8bc09a3b1394f3e4e

SHA512
01b767a32fc83f860ceb5ba7e687ae75d9df7fd0e96bcfe82dd73096ad93173d951436cef1415a9c2c71834443f4a02023da98e5499478ce5e516485c8221196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
86bcf6c003642006969e84a7f48b7e80

SHA1
7d9055eaecfbc809195efe8013ba92401c31ae15

SHA256
cd1475c9b2588c6a7dbfb02332c79fcbd24172f96977ccab155846b922952dc5

SHA512
d514e025ee0fb243ed4bf62d9881dac6ae126af4dd80d9d55bdc2596e94a7d71d756c306b1b25a903ab9ff2dbe8dd0bb859147d4f718b4e4509578f0c898d0ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
9d51abac0c0d36f0a7b509f00f4600bf

SHA1
a64ef05ab0fdd9c9ae726ac6df23fc94246015f5

SHA256
ba2ab72a0c962b3022da008abaf6fe01b6f30d76883a53a4e20e11cc90f64c1a

SHA512
9a5029cba60c05efb44bcf290b35e2dc1b53110229852012e3a9552a4e6c6e2aafcce9db99bc1f488f47340435a177900eb6858b1c8b98514f2ef9292aaa679e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6343dffb495b585264e7e081c96b8d6d

SHA1
1c3b15e2d8be81ee67233aebd8fb4e27b743e3b3

SHA256
5680b29a26ba4984dcc028c3e13b2fb22639dce91c8ddfae1e3ba5c1ad99be7b

SHA512
2489586c6e51c1089df60e13415c8f365202a797d8734c3f265fc02451b986502273d4ee2569b6e5d3b9a9afa19ad46056908cb52cba65d23e48c427f268ff86

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
678dd73fec8f3530d26f86f9253d624d

SHA1
83f1388f8d63144b5b9aa061986a1928c1bc7165

SHA256
9bf056ec60dbed3719ed5113f7b202f792f79a941e98f1cffe0a28a0da3d904a

SHA512
88c2d91aa99bb52155b44c50e6a562d971a77c3dcc792044a0cfae15bd6bcfe11a861ae4b1261d80a2c79c8b182d72155e4d96340025c394a8e14f38b0625682

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
28fb1eee756e619ba9e12f4ccc7803fa

SHA1
52dc71c16591682f524843e92c524a024c1ce78e

SHA256
3753e83f40d7f3a27a5d9eadbcba66d45225dcc850d1a55c8c5f2584401a8b73

SHA512
4b2b84f21b71a7bd657a31d0c505b82ca92eb2f520fbca1f2fff353b80dc737826ed646de75181d6b0634699d361f073a4ec2d2d95a58e0733f99a75e67ec6e4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
758db6d255b658cd180861675dfaf8d1

SHA1
4c2e9dbceb0cc644f7db6018126cac43fef60f00

SHA256
3d9ef9a71b75725fcd1df97ebca922d35de021d7f000c6bbfba23df9d0cc1916

SHA512
96d1e5c3a44910c32ff39171982570023b066f210ffa0c4487c622de39ba72c6adf621c02fef244a6fb2909fa26bafbecd1eb423d109f962c991dff734c9917c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
7fe96dd5440ccec74c0b21dca70b292d

SHA1
a26481d417bc27aaa3fbfb7183644599918f4d03

SHA256
32a8a914d5ab11dcda09df90613f253fb561415fa2dad81d5a53ecd3561291b4

SHA512
d6f2535f9cb8bd9383b3f1eaff32e00768c0cb39f0f8bda09311fb531115d21c2a95c765703752577bc2e4b9a7be55849ca23b2b49c2b6dbdf5bff7c5a446d69

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5e31b22eda4d07dc180bda4f2ea9de1b

SHA1
6e6273dd69455d9c269e052394978929dd6f463b

SHA256
bab81a99a322320ee95d6f75bdcaa81125b6a9bd52ac185dfa1ed9931cf333cf

SHA512
ac3519e9e53e0894c4fd8004c384d462eb8622a63938ba39d8bbfed1002c4b01f6e519c7d871e776f18962c0b2148d3a3da06008d55a45a5a071107f19205536

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
954a95affc274c0a97338e762c80a169

SHA1
e5c8d4bca67d87855c94c45487e8e8cc68240588

SHA256
da78c9e95b59c315b2e811d3f87687f161c539378aa8d35ee4b468dd664f41cd

SHA512
9ee8fbdbc9c342aba76b185c2fcbabcef8d136b286dc695d8739e68098b3e73674fede5ed8652d2eabb8b866e18fe032761bc99aaa5c864f5b89d37907fd403d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f5d75b11997a18df928bb9fd19721655

SHA1
b978c8472b759f5afbd70d2751908f36a929490e

SHA256
eaf7f07a37fefad70fe92bfe1f2e510974b2dadc2531256a821db1fca2d29ce6

SHA512
7fcc3c78662bb30dc72588f23b5a0e459f5317fad6c75e8a0a30a3dc90bed7976013179e666b3ef76b7067929d680b468026813077f80066093b9c251460e491

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
d2131a332c1bbfc751bcea3cfe7a25d8

SHA1
d55932e7a5150a8e1ccdc4d73f0891da8731ded6

SHA256
0b5fdbcb1c0ad3844b5bdaffc37b1790941ca3883d2432b0651120272f167677

SHA512
f041f3aea9e74267105f88821d1adf58610f47c1b3fad2f615c7030bf83d992efd8a036a79ded8f5802640defacc46b4417ec581b3156f175e08534b578c299e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f954be0d48d0d68e538818a4a14d07c7

SHA1
6bf5d83df3379f2628854a4af1f67bee76706c9e

SHA256
78f7014aafd88f4f0e190504173f9e1cecc81035dd292566b952bf13791a9069

SHA512
0636f0700f22357741b59df905d494e72ece5fac385edaedad780d128b6e157e1e64bbc6a4f4030e173d20cfa090181e88a45001d0e185bf3a436ec06c38823c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
368f5235c01525f3d1713f55fe3c5ebe

SHA1
8eb62223b7568e5b3fa7b6f0cfd78712f0301117

SHA256
acadffe6f0cdd73c5df94b23b0b26e5f15eb37810213daf0d163bd0736019b86

SHA512
dbbaf09dae51b04a96ab5665cbfb65020956bbb2bac5185ad54a60cafb0770eb0b81c5fb14f0556f6317de189d18747672cb0c34d62e0fd65d818ea3372117de

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
439b8312fd8b285bcc4acf46c4c4109a

SHA1
2eb849364662de9ca631819b0bd7eed53ed0c30d

SHA256
6913db415291b6fede19fa6136dea4dbc080da41bbbb4975387c924d93d9d532

SHA512
cb33ff77cdb47693e45a1e37bc8bbcc834c3193f0d417ce740f0e6e8bd3083bb11c3ecb6537104b96a534744bb7a1d5a449f0a4464cf36392c1b0a9592645311

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
39ea2f0110ebef5f62ef29e37129d958

SHA1
c535aea9acfa231dfdb1c148968c26f41eeb94f4

SHA256
57877ac303cead22be124e0db30250f8fb901df2cb1be4bb18120fa780ea373c

SHA512
89b335dcb4b7a6d2a29f8761478c2ed1714871de4da357b8479d02bf8ba162096add511049c6ded2127e2597a3c376554765bb41833a858533361d12ca040c58

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6719093ab39c16beea9791d382ec6e46

SHA1
ce834a6f8ed880da9b187e8d0bc9aa8c6bbefa9b

SHA256
9f5c636823a4150aed1728b46e14247406c41ba66a57547b2f67fa5af5e59e5f

SHA512
cddb5aab58e6c7101d6a3b75b59ea3e0254f5bd7f298587a54e6e873ae56e57deea739c7ff1172cb84a265fe7b5b165f8dd62bd9f430bd704df121f3cd9a5dc2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
58b8a25fd2034db76b6ca16cde1eecbb

SHA1
2298524a5b9c7afc705a2e15336cacbb69ceeae3

SHA256
c3a36a9095b2bdd8c2ecb8a0ec1eb040741aa031d4989800401e97cf4c5def33

SHA512
0b0596c3f8d40e4164612e5e1747deed57a712d4dc53f792d3be5f7b751906e7f29141a6637ff1a7633e4649bb6c5140f19092d4bd62f8e456df7cc5e5338224

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
247731d2b4a1c78fa30e4fef308eef77

SHA1
08c1df7667a8d80989160bd61556a7ff6acb2422

SHA256
93abf4d344f0b118aea2e4f2abc1815681503378fd341407b5c1ab75f395b853

SHA512
dc9a606051f88bbbdd5b7621d1e5190c552ae5b7dde81321b8f097f0522d5b832328334a2000cb021eb84f4bbce8caf606c7d964d0dd55c7f71ad1109b9a5c7a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
5e3635c175eb45714916ffe02e595ab3

SHA1
ee4efa06fdf455aa73ce1cab5cb1cbf8e49face0

SHA256
5429471c5f2314358baf5106085c5986755bb7dfa99834780c1d1944228d85cf

SHA512
41abe6f21023ebdb4d6c51cd8863214bfa81af230da2c7c0971eefbf14a6417d1f87bd0d9d8b03bb19816661b613259ce16392b1359a5a3f790da7caba504723

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
80ac29bd927f80175d11e3969c27745c

SHA1
938399734206382cbe860dc6571da1dd1997c41d

SHA256
4b09e1ccb38251e582dfff8c27b1d0d221537438a1628175185be7d23f273992

SHA512
e81d6664e858a3ad92e35a1eecc3620452fd63cc9315209270a337123468514e4a52fe94ddde13d643e457c106404095b01d14ceada597f6cb41aa454c5ce3a7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
4a24407866bba040741ad4e6203f5f39

SHA1
c0fcfc102f841c6d445aeca43f50c4f81c0c4c23

SHA256
3ea7f34c3f16b9dc54bfeeae566ed741626a35776f1ea7840142989948d2e61d

SHA512
32c924c4764e3debaac3b1c03be6784be81a5559c753bac81b2e1578188360d751b3ac59742f9502559f8647ebb924802b032da4434dffb477f35c636106af32

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dc0ca953a6a1ecb9cb1b2706682e7859

SHA1
862c4b99876cab532cb6feb09f8622f83784f673

SHA256
693f767fd5cbbb72b8427946fc2efe93a7193f5b686bf7fe53d2fcdace0ab679

SHA512
ea421c639567ff35f4d541f9d2defa307a58fa3d073e64bfc4c95a0145e0746072e16b8d1dd897e9dbeb9f45ad55d21059a60a1d66614c176530b29d1670b3d4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d5706de5ef22da76e69c94e3e154389c

SHA1
8e2b1b350225dae1e7ab9a9532d8c5afa20bb522

SHA256
bb343b037691b5cb25b3cc2f6dabf9d79eb65cd94973e649acc0f7dc642183e5

SHA512
f96442f695577762de74cdf219c8b7346fa754156eed185f0c6192d0f7c68833b2d5b26cf52652930c213e03a05c1989213a0eec1cfe56211fda9bacfc997ae8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
98b73bc30e28d0e1d893b74b65d8e4eb

SHA1
063e1c9824b49378f6c890a5dc94b03198ee7326

SHA256
3c82a493755e2c918ddf0d7dbc5bec4336dcdaf85902daa17a7255ac1b2adbf8

SHA512
2b14ef1987695af7c0b993f953575bdf208eee5f85e4c4c5e1e52faaae095221cd25637e8639d5e4e70a3ca53e5f892bcaaedd8eb4a81a0cbf618bb8f43faa41

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
4ba3b1d64f54f255e56450f3c1d8d1a6

SHA1
2cba2f5f46cacd3e07aa431e7d0ff19e8ee00f24

SHA256
86f456ecf6876bb006593ebd9f75db32d0584fd69b83a01af9401e345da284e7

SHA512
ceda74a4548633e951d520c7b53da3e0950f810e085833089f5fd7171c32aa145d235d24e1eabd25ae71851bc1a4b7dd5a06f7057f73eeb3f9ca97d1d5dfb61e

Download Submit
memory/548-228-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/548-513-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/704-79-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/704-83-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/704-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/704-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/704-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/760-243-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/760-132-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1480-227-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1480-99-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/1512-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1512-0-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/1512-5-0x00000000023A0000-0x0000000002407000-memory.dmp

Filesize
412KB

Download
memory/1512-96-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1868-264-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1868-583-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1944-119-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1944-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1944-19-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1944-17-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1948-190-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1948-68-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1948-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2036-474-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2036-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2368-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2368-55-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2368-177-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2368-49-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2504-97-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2504-86-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2604-194-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2604-512-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2612-30-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2612-24-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2612-32-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/2640-255-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2640-135-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3236-509-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3236-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3236-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3824-191-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/3824-511-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/3916-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3916-579-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3940-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3940-584-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4160-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4160-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4384-231-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4384-122-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4568-580-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4568-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4612-395-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4612-164-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4744-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4744-36-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4744-42-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4744-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4744-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download