6dac979b7e82235b310dd222343f373aeb735cc6e5b777a3c3729ca7f4d80bbb

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
Size

24.3MB
MD5

c28579c926f6aff6f557481ac91a0184
SHA1

c83560074aeb9926590d6af1544639ffe8e88648
SHA256

6dac979b7e82235b310dd222343f373aeb735cc6e5b777a3c3729ca7f4d80bbb
SHA512

2d028d269332b0b5d1258737fe7633710d08ddfe7c8ae5463d41b366acfd624024e8618a8719e49982aa135476fa6e7222ae6d47d57baaa77ebbf54fd7f4c4a4
SSDEEP

196608:bP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018fZ:bPboGX8a/jWWu3cI2D/cWcls1u

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
716	alg.exe
4736	DiagnosticsHub.StandardCollector.Service.exe
1072	fxssvc.exe
2684	elevation_service.exe
3376	elevation_service.exe
3372	maintenanceservice.exe
4080	msdtc.exe
2272	OSE.EXE
2408	PerceptionSimulationService.exe
4536	perfhost.exe
4588	locator.exe
4628	SensorDataService.exe
3420	snmptrap.exe
4900	spectrum.exe
2088	ssh-agent.exe
2016	TieringEngineService.exe
2268	AgentService.exe
4280	vds.exe
1288	vssvc.exe
3248	wbengine.exe
3608	WmiApSrv.exe
4308	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ca8982d6253fadf5.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{AF181329-A87B-45CD-9D9A-20D884BD8E1F}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_89906\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4e7f8b4a8cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000810d1fb5a8cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036481ab5a8cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa22f4b4a8cbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071e617b5a8cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e71c70b5a8cbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1072	fxssvc.exe
Token: SeRestorePrivilege	2016	TieringEngineService.exe
Token: SeManageVolumePrivilege	2016	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2268	AgentService.exe
Token: SeBackupPrivilege	1288	vssvc.exe
Token: SeRestorePrivilege	1288	vssvc.exe
Token: SeAuditPrivilege	1288	vssvc.exe
Token: SeBackupPrivilege	3248	wbengine.exe
Token: SeRestorePrivilege	3248	wbengine.exe
Token: SeSecurityPrivilege	3248	wbengine.exe
Token: 33	4308	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4308	SearchIndexer.exe
Token: SeDebugPrivilege	4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	4788	2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	716	alg.exe
Token: SeDebugPrivilege	716	alg.exe
Token: SeDebugPrivilege	716	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4884	4308	SearchIndexer.exe	112
PID 4308 wrote to memory of 4884	4308	SearchIndexer.exe	112
PID 4308 wrote to memory of 1556	4308	SearchIndexer.exe	115
PID 4308 wrote to memory of 1556	4308	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_c28579c926f6aff6f557481ac91a0184_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4024

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3376

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4432

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4884
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8f764b31c6e106efc2b3ed1aca376048

SHA1
d3ebc26f87ba12338af32a03c436adc515450f49

SHA256
5183c61f4ac75d6f578b6f3442474e923afdecbfb3660471a61290fe01dc8568

SHA512
895371b17968851dc5b82ce8b6ba4ad6a9f4c5ce6adecfc919cef4791d4b4bded9ffe8bea3856a6be4a90e2b2b70f2975b8ad2ca31191a544821805f9e8487ad

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
cc1f79709daa365af6f050b3bedfaf83

SHA1
b84b1adc44faa3e7594f6221d6c45a3e50b62c85

SHA256
f720a5e5febc21f5164ece7942bdba7920f6db80af49a3e4f7d3bb9f9021b604

SHA512
a3c6144e2a16576ff9c63185f6f169f916bd41ce09e397ef6faf2be2877ce535e12b8d6a1873682095e2eac7e4954b4cb0435a8ab9f091f712aa6f359c9e4d06

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8e33425d2ee2f910cc8afc8eeae3b2ad

SHA1
a83b84f430b1104f8ede6826be1ee1b2cd94f4b1

SHA256
5b5c5975b5c850d218290aa75193d4ca833379708f110f62008dbd19a42fa501

SHA512
b89d6fd5deae529b1d18945a2e5d42203544ccb99b5846b41235a6da86283020e496c2860a5acda4fcb94a3b70acb724b0c9dfd24135593926db5313f7aab6f7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9a35aae1800defc463de4564ad693e21

SHA1
802facd05a421041d8f1bed9290b90d42d4d4673

SHA256
8311c866c1551cdba771ebc07fbbbf41db351aa21c97337e665bb3c275a3b279

SHA512
de0ebc21915b474880f232e54ad4af3183f816a9531b422ae9bc12677574d490f2cc95493a8b1d852a17db8c2da2b743029370413eb38caa49be19c6864201dc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ae0377729dea0bfd1dba687f2502da85

SHA1
fe2dd548f76b02ab0ff0ddf7e77c229b3efcabee

SHA256
c2ccf737ee3242153dc96c02f222f64dc980acfea37291a85c0f1b0355fdb390

SHA512
bb5ad2300d35dc576a3d402c2ff838eccd31023e6b69e355d1f1e2e75897ef611aaa1f5f65d00e76f7fcbc63e3c1eac30f0fce4fc7bfb7eca9f084284268832e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
fae0b8a52835499d4c3aea79e167788b

SHA1
6a2c330d213952c5907dccae7e4f5d715fd4d5cc

SHA256
512c704ebcf10964d47bf14c7ee5a26b5af42a4b4eb2649c420419f502157b34

SHA512
b94c0ad2204e06158f27ac583ed2c32825b6649c8fd652e2847758526fa09b6f3cf9f40d7bbda41fcb3c876c597bd817d1e710f67e5e3573337d4c8ce82ab98e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9680d2cb5fe8db1f424114e44964106b

SHA1
1e507c6fd080a81c9576f920564ce60ad13a6534

SHA256
2e13dcda9adb12ce7fd0356fb3489f67013aee37def85c388d76e054a35715cb

SHA512
596e4b6d05145edf9e89a9e2cfb0a0ba2957081ed6ecb6f1cddfb565fc13840dd59f2b6c3f42a23a385a4fe46817524989571be24d9e5604475dc0d5a6e6f16d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5fdeaeb303e7c62d5594fadf64d25b5a

SHA1
6b571265b8e20ce80f2409524d3e8693e32ecfcd

SHA256
795a9d340ce41f533b47c13f1ac57a9d3d5fd4b30d786d2b8bc12e0d3202abf5

SHA512
1b24e7c31d22136bc9e3ed84ddb470b4b3f9a1660995071a29bed4794ffd8100b3900dc94501f762886eecb11793510daaf838a043a177fdff5592e48c5d63b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2601324e91ee97d4de081259b086dac7

SHA1
50f783507e06677cad2db127869b6038e5357283

SHA256
e115d18bbbababce456d737129d4d12efe1be433d9b27f37d867ffe8cbbf546e

SHA512
e0bdbe51a1b9e1679952ab2e571481cfb12cc4c0869f5051c9aa97536410c41572bfbb9562443100740f772723939991de78354d85526fd71494eaa90509face

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
250501f28ef719aafb897080705d395d

SHA1
f880e594c3eea80ceb39434b71ac47e45ef49e73

SHA256
9eaa4ad5ecaa1cc3731ddc8d2b81d1b6c1a25b43aa2d966f6cef8c5121ba4458

SHA512
3488d890eb8f94937fcac3476fc16cec13038289bc99aed3a9ff1f5a5d0ab7064ba310341544b72dfe3df17e937fa9df63e048840b1b99b4d993b8f3cc86ef55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fe45174c2669480576b16104f657414d

SHA1
33d9d92d060ed5ccce18bc73752e4017c75c5263

SHA256
24eb8f1fa69b5b0a947c28d523c73952bcf2030e301f46e5122da19329002507

SHA512
ee0e0b46ba0c0bad82bb18238428c08dcb590f551b329fa8345c98c32807ce2fd4b866b05b39d48747b7c41a4faabada13182eae72056c572b1621f493f7a919

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
77b8bf3862055b61ea236d12f0de7f04

SHA1
3891b2a0df816487e674ca965ab0e879b2de3a5c

SHA256
e7fb87c9aec6a839c89984cfc71c6eb57a19b68d882413cec9a9a89b232234b2

SHA512
36781a1ded52c7e263ff678de6f4dee069c1df6e780656a957860d66dee36cca55d7342af0506aacf5a9051548164659d23fc39b5941f9cacfb858d3d68f0205

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
104e2b0bf0f5bdbc48c4ba28471deb60

SHA1
d0cf436cc8a6a25f244ccd55f11aff71d82203a6

SHA256
a36a81af4ffac37ae60d0e27812aa0d679937b79dccd59b7d67b522e4c3fc719

SHA512
f91e7c4f8d01428a15a9e9e606428195eeed3b84ec006d00ae32ca004e2572590b0dbb80aef877f16ba9c7709958f2cce9ccdc0cb1c40ffda7292c96b612366a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c90f6715ce8dbfac276c00ac21162d0e

SHA1
3bd4fdd16b9eee6f010122bda2ad8c3f20b21c93

SHA256
1945944176647e73937c191ba1a1e0e3a912fbc69444e1f3441d364c9037f73b

SHA512
6bf593407dd687ef7375e91e00f30996d8cf7be9fb2797834b43d63ce88e3894c1fc524da42b1b24220b020568078141490ecdea859a4f5c926f4761484cda4f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f4655588b8673dbfea3ec640cbbc74b6

SHA1
cbee72cdb69445b31ce7e458b5b6f35ae7728fbc

SHA256
323021a9c95b87f8b0377bc00d645f58929f229078ac60f391fe8f4623aa5e08

SHA512
140bed96b9c81bd82f7ba8731fa2c1d8fddb0ae3a369692ae9df97707ff111de70933d409cb1a6fc1ee9b50703a7008f1f115aa2d898114178741f94cd9088c6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8deb961ed29c667f717bf6bdd79b3844

SHA1
4cd52ca776f93dc743d362b43270983155a71152

SHA256
9233b387098cfc09ee292c82f4b63511d9d3bc1d4fe752dfe07a45cfc2ecf8a8

SHA512
21955f15057a2f66ed7b112d05b687ab3f618bfc206a50787b70b1f76dd3bf2f8216de8c18a38a0184ae4dd5c2aa7f2c692c089f0bba1ac6bc63523f30f83f7c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
720a01e167e72700a93a5f3030cda5ba

SHA1
b4736c6576686d76ab3e1a6580cb24b0dbb53dc9

SHA256
7aaea27ad551d2544998c67ebe6a299c343ce782f12152f70bcac168ee73d98b

SHA512
db47811399aaecec166fd4ce3da0d38fb36b222ce7158a9762fbd7226d534fc2f70a0e67fa3754d29f3d9e41d0f41977a515b245886439cee6dd3ff391459f75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e8d79f4b86151d071e9457592bde3815

SHA1
ae440797bbf2ce6525b06767dd5e0064f0cd2dbd

SHA256
4dc33b42a0580e2d4b57ebb22b0fba8e934a54f6ec72f110b869a0644d833caf

SHA512
678f2e0bfab88140445247305449fe20d09d89f57fbafb46e6732ed16d8a69a8dd4db9686a254e239f0f7dd75dd79ee82c74dbab7dcfaf3bb845f6387c958fab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
cb2b6dbec221d3cd905d306f6620e670

SHA1
b9415eae7652031b6b54f0d0cdcd7128219ab9c2

SHA256
8ca58c5fc54c066e4f506a4e4290aa5f768dd1b4c459b7724a909eff4b28e09e

SHA512
a34dafe0064a1d849f4967a6daaa11ffb601c941b0dde790e4fe3f1a6adbe67012e6486af46bf4c749fb6fc40ade4fff8a8709a37ab61e96bd5449efdf9d9ab7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d1a56f2c01b1a8a7d58ca1f935d0edab

SHA1
eec957cf5ce296159d1c70be72f49675d3744e67

SHA256
5f6ffb3e7a436c498596db96d10cfac33e8b2ae9d67beb65fbaf4adebe2849b8

SHA512
721c9fff5af0ae3f79cf0f09b09930c5b255c7643dd4e1efd33746f4f8a681d488b1c1667ed14248d727fa13bd6ac5d1204936749be13799836285ffee27259d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9ccb8548728705f4efee6eb467efe59a

SHA1
aeb86b3299939336a7fa568bea22ea3355451fef

SHA256
54683d43531084f0916a6438c8cce11940e01ad4725b3aaf1a74a03de1758312

SHA512
ffcf8c7ec69784d0fe1424eb1d35ab5e53e34fda572151a5bd3bbf135d7a2c896b09428a38836a96428fe3e3272aa462a807bcc9f0e1d3324cc85b17b79cd4ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
1f94138bfb294f712ea2ea042a3e2d6d

SHA1
346bad13f09b8e9dbaf11ccaed398962e3ea9d69

SHA256
2d032399d8a19f9ce054d410ba7460efca6594bdc22572c57c240f7367c6e0cf

SHA512
81ca2c74bf98ff7e47bd9751b1f8661d25be16c828457870afc8ff15066a99b2c6ad57a8651df4914fb90538e48a53897e142a03eb55f31f37e55048f34c4545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f60a0b2efad0b1249390258aa9b95de3

SHA1
ca79fa82a51abbaa518ca59339830639fee60488

SHA256
9ec687b9b2518b1b851646eb344583ecff2f56fa6d44b47404ff16cf203c4ef7

SHA512
7e4a17bc62c5ec7c5ee5e3f7980067dae3851c74e6262de51288c134ce4f7cb4bd07bb06791fa6e62fe262bff3d8082ef5551a3eae1a85f470d349e49fd9cb07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3a8406d7a6a7bdc4507bbba997fc8582

SHA1
6da20322bbcb8539f92b847e031b5b85f05b969a

SHA256
b7c7f21bab9d734afde3d5b92d930a004e78eccfbccfffe347c3a26cee89f4fb

SHA512
90cfaaa5c54834345ce2499471de273754d2f69d5619e3406394532e395bb83317c7f8c8dd01b3ff9ef0c0705727fee39a5829610be7880ab8a953ef87ce676f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
88e13295044a8922a75b63db077dfc7f

SHA1
7ac0f0c381979b86fafc21dafbca25f7d4eca403

SHA256
b7ee4672bbd7813abbf2402a2a38b6f1077dbe1c3c5578361e7a51d591c92be5

SHA512
f16f4076f292b5d9d9dc725fb9a5982d42777e5cc49648c52de22fe9f275ad6c59443c69fe2f225cda05f421122b1935f04251a2a3ffb9f1f4a1cba9707c08f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
291c8e0f6f082f6006a5504dbe95b3d2

SHA1
40bddfab55b2e2cda66d4eb1a9f3ff31f793c523

SHA256
ff62743b32b1eea8c4f69ccef89b5e3d551cc88a859c80eaaf2d2099d2652d78

SHA512
cf1057d828a6c54b28c468edbaa0a4696cdec053663cedda2ba693068b38587507d7f791e3403181cc18a2b21ac368a48782fd2c04d5bbdb4389ee275255db62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5f15decc56edb8cd60780891be09a49e

SHA1
2b0ac5ce86159c3cdf0f176b55c8105015e80698

SHA256
874fe195bc3abdb4076bfa860aedf189614c0520b5048b228181b9b2ceb42dce

SHA512
51268ba7b1ef3d522e85ad2b654fbbf2efc1e857af79c43071d1ae1095ee73d12229513bd5f87be5cb750863464f9d2870c6eeacdd8654adfa975f6886200f99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
75daa961a047fb4b0ddc7afce5849b2b

SHA1
a0515d3875abca3934e7e570faad0cdd6c875b7e

SHA256
9840ee151ddab41704a7935ac2e08fb798b07cfe882b7979298e185990233df1

SHA512
a640430acbdbe138955badca1aaaee1279860857b3b5443b8ff4d7a171164f689e3f847c88581e57cfb3015096ef87cc2a93bbacd58efcfb74be52bf8a1f8dae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3a3b163778d18b07fa5d1b11db973026

SHA1
d7296b1bb67a397c41df9edf7487cca59bbd3c4a

SHA256
1ea743425868ba1f88dc66584076472a1526bf86324d12f4d218ccfd7b404c37

SHA512
a9e27756dae4d198e6a6745ac797f7765dbcebf2e11791ab2d65a5c7c0bfaf9dfe5ee315387277a2a081775f63ac0be3faa166b76ac3c05e8bcde513ad361e0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b53a5727ebcbf5ccafbb5eb08e3cb683

SHA1
74391acd3fac5d2351717bae7297ef9fe47266b3

SHA256
ad255c174d52f793cb818187bb2a198ea969578088b48ecb8a6bf6cf13c6d18a

SHA512
c5702efda9e2a9693951c1c7bfa2cc4ab4d5150d6579c3376fc9d1fe52b9dc228ca7a1ca04fbd4eb50ec17d100b91f48a7336811301a4fbbe5b50f395a0c460d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
155da89b4b3ae2e8f12934511e76c692

SHA1
5183e6c3138f513008ed7760eda3eee8408b88b3

SHA256
bf7e1ca5aa54c07848fe065d43b25b776e490d2c6d14a345a5a0c5aa015fac37

SHA512
ae9e329887b176a28663ac6ebf199bf521e73cbacaffdeada54c01dd40a99ff6532691e6635241df0e2cbe9117379310443f6820347b0396a3964806e86b6882

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e4fbde18885de64b1b8f50494373f000

SHA1
33367e0523b1b0d44b94295ae5378a14604a39c8

SHA256
b755940482c704b5c89d781f3d5f4a76395d71a0d4cb2eed3b8ca778055c44bc

SHA512
21d2da11e3fd19f4697051dfa8060d6f0ffbd119f54948bf5676edd13346960fcc3e1e2fd2fb75e368c90ce71ca0835a4d293784b75f8b02ccd43b2b35c72712

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
7669b5688a11f9e21a4022467dc76995

SHA1
63d6b89626e86f470f99843df10173618b8aa062

SHA256
c0a42987a0911bcf2c9f68a02adc48f2d01864719aad1a04eaf373665b7c06f1

SHA512
77010c9ffc681eb8c563393efcfa4509b208557ace8bd2b601cabd8d059192ed64e1f778e77122b5f63bbcec6f33c4583b0f5494ff957017d4d551fbd772b6ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
2585f84f49d017f3213784793aec04c6

SHA1
5fe755d6efe736debf185bd32a6e65e5119a988f

SHA256
8affd0dced95456abd5b2a24947f67d6d6de68c40adc8e52ed1f1b7743a47001

SHA512
964e7044acf8c7fbdb0a159cd3513c192362d3d8671ce86c064eb26189eb25a1257e31f8b50fb33c31aa6e1ec3a9ad065b3d763e132d7550ae49b5397e5e1786

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
7e8c567b60f32467eae2613627d3bb08

SHA1
79b9c6306ce036ab6d98174712faf45183b5150a

SHA256
a9781fcf287d967e14298dd070ba61a2e71498709c502b5b90b9f31cf442aa5b

SHA512
3cdca67c9d8f5dbc2d4063d3e84dbde1357b2742535491ca5af52d0188eb0dd379ecd726b3c33149a25f3513a722602ec59359f629a2662bfe45762a2120140e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d47ce6dbc5f54404d46cfa341bf3ab91

SHA1
5b9c387cd205812028f343e6ebf242d1118950ee

SHA256
584f3636dad66f05ef783d00b53548ac6aca95d1368a9c65cf047853b497a76b

SHA512
a79ed67b71b7cd67df9854ddf32e4412204b774f3c9248a66fe2b71f28a56b8737ee56a81f809467619225d8d1a886a3bd856a8be60c6a98ea062e03f37b9dc1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4ede3f56224e00152829d00b4f287d2c

SHA1
e2ab5707d856ac6eb440de40ef79923d15779a32

SHA256
fdaf34936f806bfa6901f0ecc985f245a9c50b7b2d5404ea8abd90d38dbb908e

SHA512
d28876b3b84eac84cf273c4122c16af5b08a17b8b77b5d142526ec6444cdd701123d31a735f5aaf5b90e7c20994d9f270d81fcbc6e1bd897c03055fbb4ab8407

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e68cce32742adf04116d12eb60d8c60d

SHA1
80ecebc6cbdb8ed6b2b981be2c605fd8b2a4d69d

SHA256
925b6c7caa03286c98640808dbd72e7c9de015a54a2f6a60f148b4c6fc537766

SHA512
d9035d63e18938abb70f924f3623779b79bd5bc0b7a88cfea2a4d2c3ab5c8e618d4496f65a309140f18c454f8bb608a8b439a0f4a0d23de1d8067a428d6389dc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
93f174c5415e9bb1bbc21f90f0043b0f

SHA1
1563e210ea1950e1965a51459d8b20c91cbfdffc

SHA256
789814c798b9249ef479c8e348a8a773a5a55e1d6482f6d29fc008196f6e2440

SHA512
472109faea0e4456ce4968df8d080af367c3fd14962626f5180ad27d45b74116da8e84aa37a70f5c03d6503553e40e1b2cc8c623dac8f468fdd77816b14e8580

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
e09c3d037c4320114115019012bf5b27

SHA1
23a5b027d120a8ba483d69745bde467061ac0841

SHA256
8b89cdb068d4e8e0599e2807034d6d2dae5a69b2d1244eaccc0c65f24187db11

SHA512
304b778da00acd766e7025021112c22773e4599d69d8e709636b337db58839c497bc9094a34cafc4974916e48bf4f09b4c558da3e5831e0edf8ffc809d0b06d8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1bbc508e9241afddd69d1eca0b07913c

SHA1
191ee787d943ec58bd29b264cff8c18d36f5747f

SHA256
6919541e99d4060ebb1fa6190fe80c8fc036edac6c087bdc4e0c6541add13fea

SHA512
f752709e3d0e8333a604e443d530aa80bfbd1fa1c048c91f07a55fccdc18a780e9176e35ba3043c4c7ba3ad9ef2bbd4265c534839f8d46bdb856c2646946bec8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5d0e1b03cfe904bb7ad6c981876f5059

SHA1
bfa6e41935323629eaeb1acbfc10a1ef761c1bba

SHA256
1be35603a6e4890bbb8947da16fdd50b589d395ba5b9dd7d1adc75aa57d586dd

SHA512
01284899d4d89d47998c00fd6d2f5f5dde718cc4c12d8578f4d3af2ca06cc651370c761d255caf15c021606667d1b9c6a986ccec3be252c3d1303769d8484f3c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0cb599a3c463ca7fbf8a4622195c9954

SHA1
a054a023e581df8f4ad096937aae5afa56f8e836

SHA256
9c18c1c32da60e6229667c5e73f5eb396fb867229cb9a45a84e617604b0c1423

SHA512
9883b5865d42add59187d45c14d18f8f6067d3bc57e68103ac84b070f5a0acea0f97ddbcea21b398ef56e8175b8a5ee1bb497d79665501718b1f6f577904b493

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3723f63d74abefafd0d663066ca45af6

SHA1
bacadb65cfd99a4336330106c337f2642475c4d6

SHA256
bbae6ab0aaf9379511a794bbacd392f6002016d1b3f4f764da0dee66ec56fc4a

SHA512
3caf2175dd3839a79f13fd55fcf47837766bf15ad6885aa6d5a39aede6bf09b5833d095567ce52fb5fba471cef61da8b48ca42b619b12a8b5772fef22f7901e1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
abd01a9390004553a095199fee5f2b54

SHA1
8dd63dffbe434c280727eb9f27d6e4f887299016

SHA256
79871f3252ebdb9053a8eae02558b814fcf70d349783987ba2f1d2f42af27cd8

SHA512
4f7e6171d3f3ccb8d4e12f1c4808a0777f8e298c0581d72f78ead4828327445a0d5fd7e4ff07ddf20c285d87375e521553344ade662e81bcea60c8ce71e2002e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3aa2fa44a79f61c073b3b795f73c9413

SHA1
cb5bad08e6b675a6b0de91de03686744090b8bf7

SHA256
6e0a6560cf66ba2dd3fe72fff21f795cd6d807c393a4f6180618bb8ad050936a

SHA512
30b4c8a700538016584731cff38781135cab97deeca20f0f92c5ea35d53d465df72ee86c64e48153be182e92b2e8942b29dfb647cf1cf874900ef411c58d6ed3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bbfd22536cfd3429a3d4fb368c3e3b35

SHA1
2e5134e74bafafd59a4975e7c197668e6852e987

SHA256
89a2ef9acec07466f26d4fb93be44110f7601132f82d006bf1077cddc972bb3d

SHA512
248f921131dd78edc910e1f2bd3bb40a27f0a98b822ea8b36463f87f85f986586b53ccb6be12527a58d15746abdd72663163e0a7e322ea87c8cdd215aed7cdad

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
abba64a1feab92a0cb21af81f37c2e68

SHA1
1f5f80620fb78f1e16cb47df008b427ef6e18cda

SHA256
190bdf0c0e0a15dc058f5a93c48c3f5800169accd68ca0e89e3c3ada806ac4e7

SHA512
274ed372eb253ee9d2e34f0b05c1778c465829339bb23b0af39be0db75f195f82706133fb4e2832ccae337e187a1d5d7fa01dc67f1aa8b3c4aa8271fd9924696

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ca546a308c1e76cb3c959c7e9f275e1c

SHA1
fcc8c4f1115b9f7af779d9f652a2b53bbde458e9

SHA256
8918576aa57104630e1027a569bc87ea64d032c478d7bcbeee70595b5f27348c

SHA512
caeb084e84bf58d06cd05a7273fdab88f98937e38233d5bd4d4e5538c78d6f97aee0c1b8fbe6c4ad260818427ebe97514ce9f79b49adaf44b5b74f6810f70b88

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7da6e0582e8661643fa69b3a9a9b24ea

SHA1
c91a384cdcf012008a0ebde907592de3f797851a

SHA256
37fbedd44b73179b4832b23556684859aa7e87f2b7276bbae881ab3872992bd1

SHA512
2259e71f7a2dd097f4c74c0df2263594d79f6129809771538a3bda00ecf1d212daa3ed6d8feefbaf992c6d5c6e1828b7761540187f4fa09a38cb66f090c30191

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7dfb652a6d3d306322f83386a0d165b0

SHA1
1a09172fb96d6416e4ffd06e49c4785eb92daee5

SHA256
b7cad20d45696932d31e57e5ba352f8874d50e85a3000cde9d65cc327feda482

SHA512
f26a1f1eab0f8dda3c5e96c58e16323f250f6ef68f99ec5c6f26ae0949a96cd2e1c20cb72b144c5526e9d5f5a309662ab206ef637331ea06ceba31180a893902

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
68c2d3eda4df0049fbd85c7e7a163044

SHA1
197d397ecd25b402e1fe5d05f17298c3aa28f4fe

SHA256
96dad8ae3d6898cfeb4db34b435b34566820a22ec93b7eb143a2b47087c61a03

SHA512
7c5ef715983c293cf859e40b78b795cb1ee0cb2354351248d141cd57085561063bcdd297f895a7f801418db6c6c4eebb33f2f841bd6ac88cc16f7268461e02b2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
427b2de8cb052edc16ecf4046a93b81a

SHA1
235a3b9c1ccba98a521d06ee3ff9e7beda2d3a30

SHA256
445a03ed7e3ccbeb147c9427659a40e11112d80dcf0f4c6e253fd27ecc6acde0

SHA512
3be6b96b565b909b6347bf6907d0cefbde760451a6261b3b354ae2b0cc952e2eee9fa947f5d3006366898f45698a12d5004239368a116558c4b00595b19b8f7f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
94ed27ea7bfb391327c62d99e393ed28

SHA1
59b70925ec789c5dabe5ca590eca3d419eb0ca83

SHA256
134ecfe1c579c80bec2d9beac19b1352bd8036224c129ea3914e799a700d5e91

SHA512
1b623ead4b3c774a11147689c9cfa46fdad9bc95c7d817727cb5b4b9cd2dec11ec150a6aae12daf04e4ecaa3c176f93c324040758de2bd1255832c9441c1bb18

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
729951b1d13390d1a24745237cc88dc2

SHA1
ff1a134cfd7fd9af44177b8a2084c2f09125c9ef

SHA256
84c099f1824337f61ce3f3edc3389e44104fa840c6354e0acad6466f978bed07

SHA512
2e6e911c3540317677f0e52f4c85f6f8e4f7e8af4287ee30eb99f97d9aa6f280a45ec9280629952e0d040e76293b8d0650cc49cb794dff0043c2c1f5db2f9f9d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f474ca883e8e04d7b69f4a1c5e2e5a20

SHA1
5cb075059f7ece0ce9ddd3c26eb8b61475a04bd4

SHA256
a67c94eb0825e5efd34cd2fad91ae714718ff2302372c9d7a91a5ce9febe4b29

SHA512
605343812e0ba91acc1dc2995042ee56041fb613b3fc9e9da3291a19a804fa7ffa0a4b95252fc0490545bfc06042e5237a4a8cbfe2a426084b18ff2e0cb64eb8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
40e8d81ce710c894a63b110abea82c80

SHA1
14627457631a8d105617518215dd2d34d26b970e

SHA256
b8b5364708a738a164f5f9ff0a98c7bcba7b32f97b386c1953c15c4036d2b1f1

SHA512
05e010ad79ae67d60b6edf075b756163a4d659b48c64148b434818d4a4ceeedf1272da177f9b1bc34b7eefb116814bcbf90565ee137447cd36302a2672019c6d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e2f1dca39dc71aac3cd80ee281bab5f3

SHA1
a2491a7a75c80b725301585815881af181e092fd

SHA256
aa77e7da31a2f827b9eca837af0bf4d08401638500c64e41d30906a606f83a8a

SHA512
9c6593d673cfe17336e2e4a93155b964ff8bd60968ea217f60cc9dad0e0397a0e11a7373b444be233e0ea4b52017c4e8adf8a8ff07528d176751f41ba9c9fd8d

Download Submit
memory/716-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/716-110-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/716-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/716-17-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1072-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1072-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1072-57-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1072-42-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1072-36-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1288-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1288-568-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2016-203-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2016-480-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/2088-192-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2088-476-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2268-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2268-207-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2272-111-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2272-221-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2408-122-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2408-233-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2684-48-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2684-54-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2684-47-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2684-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3248-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3248-571-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3372-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3372-84-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3372-78-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3372-72-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3376-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3376-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3376-191-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3376-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3420-407-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3420-159-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3608-573-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3608-262-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4080-206-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4080-88-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4080-87-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4280-550-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4280-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4308-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4308-574-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4536-125-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4536-245-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4588-144-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4588-257-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4628-270-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4628-479-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4628-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4736-143-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4736-25-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4736-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4736-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4788-85-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4788-5-0x0000000002500000-0x0000000002567000-memory.dmp

Filesize
412KB

Download
memory/4788-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/4788-0-0x0000000002500000-0x0000000002567000-memory.dmp

Filesize
412KB

Download
memory/4900-171-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4900-469-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download