8e3faf16a7bc3cd6b643aede374d82a0ea11e487af643c9ba3bc461ec3010f23

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 23:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
Size

24.3MB
MD5

f5e822c565e708700228597e15c0501d
SHA1

9c927ecebc617ba0b2528e13e916d2483f0e4959
SHA256

8e3faf16a7bc3cd6b643aede374d82a0ea11e487af643c9ba3bc461ec3010f23
SHA512

48d48965bb41048485038fc862071f5474cfe299e0da82864df8d3ca81a9202e95ba5c4c70a0da65d4282623a3930715b9660a43e1135a300d8b81cb39d5d421
SSDEEP

196608:/P0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1OpUH2SAmGcWqnlv018vP:/PboGX8a/jWWu3cP2D/cWcls16

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1964	alg.exe
4328	DiagnosticsHub.StandardCollector.Service.exe
1532	fxssvc.exe
2680	elevation_service.exe
1028	elevation_service.exe
3028	maintenanceservice.exe
4356	msdtc.exe
1752	OSE.EXE
4836	PerceptionSimulationService.exe
2612	perfhost.exe
3092	locator.exe
2996	SensorDataService.exe
4556	snmptrap.exe
4680	spectrum.exe
4312	ssh-agent.exe
2788	TieringEngineService.exe
4436	AgentService.exe
764	vds.exe
2572	vssvc.exe
4976	wbengine.exe
5020	WmiApSrv.exe
4668	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a5a95e075cb61b0.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105781\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{796964A3-CF91-4ABC-A549-587EDBF9030F}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000501755f330cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000135f58f230cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006aa6e2f230cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000006482f330cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bfa74f230cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	1532	fxssvc.exe
Token: SeRestorePrivilege	2788	TieringEngineService.exe
Token: SeManageVolumePrivilege	2788	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4436	AgentService.exe
Token: SeBackupPrivilege	2572	vssvc.exe
Token: SeRestorePrivilege	2572	vssvc.exe
Token: SeAuditPrivilege	2572	vssvc.exe
Token: SeBackupPrivilege	4976	wbengine.exe
Token: SeRestorePrivilege	4976	wbengine.exe
Token: SeSecurityPrivilege	4976	wbengine.exe
Token: 33	4668	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4668	SearchIndexer.exe
Token: SeDebugPrivilege	1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1824	2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
Token: SeDebugPrivilege	1964	alg.exe
Token: SeDebugPrivilege	1964	alg.exe
Token: SeDebugPrivilege	1964	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2152	4668	SearchIndexer.exe	111
PID 4668 wrote to memory of 2152	4668	SearchIndexer.exe	111
PID 4668 wrote to memory of 1808	4668	SearchIndexer.exe	112
PID 4668 wrote to memory of 1808	4668	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-05_f5e822c565e708700228597e15c0501d_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4356

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2996

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4104

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2152
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f35fa74c854b3b4c44d1d1c9ac1afb97

SHA1
43b14085354d33295fc5bb46707d17bfb3f1ef14

SHA256
e68a7d950475217f9e2d760eb065643f2b7029510d4561f871f119bfec08a6a4

SHA512
42e5afdf9a9adbce7ecf494abe2364503381a7c5ff81d0e4dd8ea6514879fd2a054a2297ad65cd58076de00da49e73b815e02df6af302f8ad920061edf4e1228

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
cfb44cfba731ac8b7fb685221992ce64

SHA1
65d4cd85c125770013a86b6e90827909b04abe67

SHA256
13629dcc403c290a60c7352c253aef330895df070a199799a36e1eaec7b18bbc

SHA512
b9c76ca76e806c6f90c84fd1a5ed66f2cc959b7145bf1c20582dd6a140af50241373446611df452776be6ba32304529aa4f5206ff1b8009da663f3c013fef0a4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
cc8dafcd663606fc86930423c36ff386

SHA1
1c967a1c79f18ab66e566c1820d5e044ce09c54b

SHA256
0455bd6403e59d32f6979a53f83157ca4a58a87a017396dda6ecc795372cc362

SHA512
5d5a41b5fb1f0bae57047bddebda9df59311f04c7dff9b6fae1ac86d352d193b3389762607acc3519dc3f9417aba611523163bcc5ad89d23625834d5ae8c07c1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
936148bbedcf5cfef8c95dc6d218bfbd

SHA1
925c1f28a50a943432faf6f3255118e39565eee5

SHA256
36eefbb711ad68cb22236fedac1e04893de62991e0759899a91a4cef47e008cc

SHA512
32718bc06e1fad59c0961bc608ed6c423bc3afeaa5ff3da809334696656f3f916e28079e701717b4ecd527a1e9db36b37d5682695099cdb083cd8911c855467b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f431d3b6ca59c955d31ad6b79d1e7677

SHA1
108771172a76f477ae04e46c22f80cdbf69cea6b

SHA256
f4f91d172394757021f67f141c4c18886312809c712fe3ac7c258071d1d9f10c

SHA512
a8849fa135937111ff1526e7ba22df42c2af488e70702445e71799a189fddb119b3ebd9b1b28321c3d9c920fb548be6fb3f0dcb0686f0a09635f865e0edfe547

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
e1322bbeb6f06cf7102cc8c4fa718c90

SHA1
96e14a15ac993a76f716ce26748fb701c7a24845

SHA256
9b73a4ef55d58fdd78855d94457c1b180b05c2b8f41d9c9935b35d37b4c76d68

SHA512
8a3705d1eb3ac176975ff91201d3fcb744f50ac831fd881b0ef595ce7ff27aa781af4aa75dca81c68f7a01d02f7eefd1c0efb0b1c7259670bf175ef19db23b07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9063aaa344bab412074d1075741e883c

SHA1
d54c77b1b38f13238cd9c9e4e8d7f74f36d71392

SHA256
61982ca984cd9b304b786bfcf199acca747f9312ed37d2e27caa432d78ad95b3

SHA512
b9afb2e5db0e3b81247649dd53532d39ebfc8a2e05a4dcd6db2783027d265d7df70ca2c8081a454b19b4fb3d40c646a218fd97e5547c07f8c501e9d5d8cc16f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bf46d12481fc409ad3fce89e8104745e

SHA1
6c4dedb607112fa41c188ee6c6530982cbc2eb1c

SHA256
00d4689f8656e98cb55aa54ba2163843cdff334a681f2840fa14c5879ed7701d

SHA512
4ccd7099d39d34b0fac1e0958086acc02c47b4fbebd41139f6239f64f791445760afab7823b7ef0ed0a5c931bbf2bedeab166c78dfe64c1e062b8b55a8262bb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f50f57b5e24515b649366e172892e8d6

SHA1
5ca0e6d2ef24567ac888d8d1581025da10dbb856

SHA256
99acf3761d3d6cd4b5e5d55085e1e199fbcb427c8051e7062597a6c69bc29b09

SHA512
f8a5a11580c625444825b06eaabdd95215f5ef226c8da41932ddc5874c75261bef92f2dce1b64820511b63c6b4b7cc767cd0a218b3a3c475621e39d244fc58f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
29d9f1667bb8d59076a192427d81fb6b

SHA1
57d3c173cd6891f192457caee611c20c977e8486

SHA256
71f3019fcaf74ddc2b7f4b5ebf9fe038375a6213b1164a3c534d77fb92290160

SHA512
2d957d6f89df621840fd4ed801c5ab27aa81d804a4305957860cd23a141e75886bab59100135d9ec5728a340d302f3214345a5ddc0507ccdb3c75f255a31ad51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e30ce2710e5ab4c81bf3d551f72fa8b4

SHA1
330895db41389400d00b49ccf147c34ffc33b792

SHA256
9c34a3c59d99f39822d84026574773d9bf20748ac12fa83f70e69b478dc2cff6

SHA512
19decdf899374abb1bffdd106091e5d9361b42088d3be47cc7419fbe2f37dbad3b09e1e5977ec8129b4fc9dadb621475a65f2798414d71831a7415a16c12a938

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
05244e71c0c557d6052c894e23d8622e

SHA1
62bdabde28ecb5875212ffbd2246755658efdeda

SHA256
97b1c1f9f4ccf44917e43d43df30c17c8830a84495e79ec9f4d3bcecc3f27180

SHA512
1211b31e567be956ff6196c226f584bf1b696dcd4867005dc6ff18b2fed9a2d8fed051581008fa18e2a7082c5f2c02edd96a8059d96cef67670f7b7377b6617a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
77058108222df4ecf94fd5c2f4f762cc

SHA1
84d20c12c39400b69254f14afb000493b2fe65a7

SHA256
f334f1e5c4636cd45bf2efe9de3b004d9b71f1d01598752552c627fada49cd98

SHA512
43cb7037b371277ed8ab9f0221f8a8424a2f6f8eed0dca41230a9543f23f60087847ecb58dfe0f192f590257d06d93008a8ad1a401b3ca9c3206cc4320edb4e5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5ad835353dac88b89e18ea017056e70d

SHA1
b63853a353add56b80f48f5afc8026daa5a0964b

SHA256
bce4a60e2c63f5fa2aab833ad2ef88de79d069c78a89c06b56970a37958f517e

SHA512
c5c75b5f34a383d4aad3aabc7b8423cfcfcf0122fb6f499b207a1d51979b240b575e8b7398a13bdbbbdeef4f0064528a5a37b01ad8b4a818181b7c05df73b743

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
500a1e30b9d6e714b3730a6a32057c08

SHA1
df5db38dec349c6440197cc1cf68f6da93158b59

SHA256
4ed8e758d45cd9cfc1334f7367829112035a67015b88d1c1a6034ccccf360f00

SHA512
625b27507295919cee66ca0f66d066270a11f9bfba9b09d844a7dea112ed095a20757e41f6c904cb8831177c29ed2fae001f448b3103bdb4bf8212692df1c5b9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
be11c3482cc0f07de2b4105726d22ef9

SHA1
07cc29bcd62c537f69f3be484bacf83cadf9f815

SHA256
a352e068dbaf5829187b799fc309ac838497deed703996fae63aea97893eb52b

SHA512
1bcc053a818423de2c13be89536eb61e18e1af8e027ceca98fde5b3b0d7dd07d31f5d00ee115a60f19f77be5510f73914e8ff18a0247806dfeb94477024c87b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1decaa4e1500d62f45013a90aebc6ed9

SHA1
578a7962e8928fa25da55b22522598e549f29735

SHA256
cb5f869b023c0f4484882378276e28fc8dede3cf4c32fac006c8321df49d26ff

SHA512
712b6d4b948556eb938742336cbe8e2928b8ec6b9d206eb8b7562c54d3e61674bfdc1ca919406faf1f21e4e38dc5ade454cfd06a1aab44009a9a2200e21d6531

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
d00a696b93425b08bfee0a6bdad98b7a

SHA1
b6beb5545abd6185e8ec41540b0eeb9187851ac6

SHA256
d6aed728c0ad6a268f9aa4c4c4af525b99d0afe371a288f1483bc57566d8d0da

SHA512
ab7a018b06d6da238687d33c734190494e55f536b6b4a9e00420c0dd2b8468a8ae8670ff9494708718c4082df9282bea31146f6d1c4ec86f728e540f18d16e6e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3fc1e6be69a9727e6dae0f22a69fc31e

SHA1
565586365200819aa5ce09668cabc640da570059

SHA256
7ca3f64a1c35c09e3fee28c4823352812d326411d4412f1f31a5fe4ee725275d

SHA512
44b22fdc54230db2cf5bfc605d7a3547dfbd76dc6298404fa3e4bb6a4ea07cf3a6704abac364a0f1d67d04abff271fcb7a67b042e5091ebe8518957ff4bbe9f2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3712ece4d8895c4c5bad62e20ecf9e4e

SHA1
e28b5a7e7016d9d4f0c3263fc94bd73954473f5e

SHA256
59e33eb12e9b46cce8018e34a2c7034036cc03868935bef9bcd16a64364778b8

SHA512
845352a145b809f1696fd19fc598b23a21aaa5113ba4985dd8cc4c879b19fef62fa4120b4383d506e1be9da2e21353ded467ad60cc253a7c8bb329505b79ceaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c183ac313d99bf537f29237e05c92b86

SHA1
8a1fec3b363f471cf8a831568de3fe639ed34791

SHA256
00213b646cd354952be3d8644cf559fbdc6a86b8b3e1be8cd5952afb0a8ce978

SHA512
4f1804a7413cd45aa2efaa9c96acaaf8144a8e0fefc1a4a5ea831fdc8d7e590724179ed1a370f04c0dc4ecd09db41a6a29b4e4c898cb5135d9c49da1df21dc28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6fb660d6188482142466379cf25f9b8a

SHA1
6e87a84c5801f409e57d6bbf14688ac242045007

SHA256
6e31e255e299e7cdf5a875f9cd62e70940c2fd902aa6eecca29234a888a5fc85

SHA512
0b840747565dc505920eacceb716327f4772e9d1a471f407cb645868d2b4d9036bb4d182c8dfbcf3e157f85ca75d3a5ae1cf8d012a64701a551bbb9bebc3a249

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
519a42e5f3721ad865976731e87c2324

SHA1
29202848eda1570eeacedb91ae6e32d9e6c45008

SHA256
a0fbcf6f1de44c3a057463ba4db7e80beb869e75114c7e8bc3d4ea799af2a3de

SHA512
7a02d4e3df4592e9cf90bdae2b787eb40635671e742e7af6697dde94774f37c8e0e46ca2705122aa8b53e06b5847bca97b1e3c641217d7b0e88e824d812db2f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
eb59e92a72acc259869248d463a447d5

SHA1
bd289d8127ba46d4864e294646ac631d9a0284e2

SHA256
74b7a782fae671c384c55ae060290be9e8eb66ebd8811330864940773c80716b

SHA512
f42c83628176029422cae25a9345706d06f1424c4511c0eba7fe3c95d6ff02e674adb379a437e097c18551f7c5623725e4fecc0e9ff2ef994cae49e75889353f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4794defa9be2f8bf98cd251a4ca09972

SHA1
ec168d6cb4c36e193e6ebfe67a37d88b8fdc52c9

SHA256
6825547f48945c9130b1e48296224893e8c92150105dc4ea84e57a458498aa0c

SHA512
60cfc43482490ce146de9cbf44501258d677079de4fe259f4a4ddc0a602d6e0985d01ce2e1f4179d520431b6f727e6370a2ee3235ac0e2a1303d66fabe5330ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a4ba40c66c01add16608486e02a92fcd

SHA1
382ee667627e3b9919c449277c798c8af2489021

SHA256
4983fd73bb5cb9f0215562c4193728eb6e985819aad1bc60c2a1aefc0310b26f

SHA512
787ca40bff37f83953a4f3bb95ed686ebd37b3f0d5b606e90a17f1dbfa84d0860699fe99c47361d1d26feecfdaac43c601bba0b382151c9e60f95702562eb75c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bb2b0b95ddab829c0d5e516aff63fb6f

SHA1
ea3c7776417c33fd1a66b4a0140804d0d7541387

SHA256
23fee33254b4cdb9aed4a3cd0ba304ecb7a85f8a35993c9105ccd013bf4932f5

SHA512
15e3e007241f5579382d48ee41757821b4ca3b5c1bf3174d5ab5f637e006038f29851342e1ce5c66409c4cf20cdcb008e7383c7a22f602d645526c3cd09132b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
726d36f7bad6767aa0c1da4b77f65cca

SHA1
d4d37ddd1332c0a7c174c770e0d3564034a1040b

SHA256
3e52058e082c370f5ae7e7c40398fc7c50f3f1145d7f80906241e5cb00e426ce

SHA512
e900b1659bc91f77f454799f084173ecf58517b2e1255730a995bef972183e4997fcfda22681849f03f6b43ad2f08404e6c9308570d214d43649cfdc9c497c9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d174714edef06014bb50fcb0429703ba

SHA1
937f47eabbba8ece3e2060f66936f7d58b9cb9f1

SHA256
e4654c8538a7f922fe4b4d5cd1553c290a1f88aebf5cd5c41ac24559e91659f0

SHA512
add1899b04091bc9df2e82cb640f392df0965d1b897e11d8fa8fb30b661bcb350ea2aee8100af94d86837d78f4425a0066fb83108e7c3067213567cf53468586

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
2bb7f6c0bea70fafbf55ccfa54308b72

SHA1
337a99bae94d411ff951f20855195d382c8f2efb

SHA256
eba448c1d53796d8ad3e704d34b4c6a1b7b679bcfd0dd94e8fbab84abb0476d4

SHA512
92c896de3c26bc485c44d67f8e3d578cf99e475e38c68ad955b4297d0bfe587bf5c39122e4ea7cd9fea02edb0c93cbad23c901c56cba74cf33245d3e1d3335fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c530e49d9fa74fb2c489b4e4c23dcb50

SHA1
32d22ebd51c7ba6a727c2c0f37f8ee7e6aaa7c1e

SHA256
8121f8734643cbadb3b624a6a4e307c42f867f6a5e3836a56c5e84212bafd66e

SHA512
14b7bab7f849814ca600a0942d0be7a57ccf2ecd7a6aa81b1bc8aeb6733a78f3b2abe65c683a578a337f1a87c85a9c06c9843bb4321f56a8fdf0698577386d15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
294e1aa43a978665a2fcf248c2e42d5d

SHA1
f07e58f68405889e4779507c84e9238db4d5ad55

SHA256
36f284fb7a243fdbc5f068ab15b275323a1fcd109930e54a81864498430e1849

SHA512
3054249eefaa15d4021ac3f7cbc9f37570e02eb71e1283a50beed3270abd30b7faacf051f134ae5980bb4d5dd272404ddfc0e80161114df5d5f85397cb4091ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
642c87a921b2cf6290b606f033ecf0c9

SHA1
61eeb1b9f847e17d2c4bf9d036da0db50537a1d9

SHA256
1344677af5fd82fa4fd9603402ae9049c9204dad5da315db2a28a5be398a47e8

SHA512
1d26a0ddaec616d9eeb7503319041e511e3b8da905684fad57d1afa4e8e0fa00f5fe9a3dcbb26cc7676dac72ad9be4885a9dd4a47ca99a2cd0171f1718e264cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3bae0127935687e3c847564a7f36e72a

SHA1
d1c5b812920434362f9e1f30c92f1c09949a4c35

SHA256
ee4104bee683aa6e01aa947b20c1da29c695e6b5478b4a57b73f628a11aa2cdf

SHA512
0d4889e991e220d970748963c8117c4e5c85a2358af4124b991880868d2d7b3d18ab72646e1000307eca485143c3695712508b198a663ef704d9c97265139470

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a092795a359498e5bf94f8d056a76186

SHA1
d6d6157e1431a2d2fb2855f99464f20dd31c0cc6

SHA256
7f176cf7d18cb768f9162ddfbfdc8dcce8e0d80ff088997aca7f31e04631281f

SHA512
451fe473b5140d0e517d592cf23d53d0cfc9903b3f5f7e6047b1685901ecdc0cf55403ba2eeecbcc98b692e65c7f5a60431b88c55beb479e4161e1e6144bbf1e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8d701f574d642bcbbd3e1c3835274ca5

SHA1
4f3763eda15018fb95f2ea020e26995565abae57

SHA256
e45be4efe5da053a14b3d3bb4cfb8b64dd9d4f5169e177d74342a413ad184e5b

SHA512
1d7fdfc9af4a2c0b8f0f4747d4426f77fc7c409be1ee64714bc34ad63558e96147f007abee3e3825f6710804b9b8b76c12098df37b613eb6cda08a4e62b3df72

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
58974d4e331dec86d6be3bf1156d9041

SHA1
a6ebda86dfde9c7bd4f786d3736518305f291de8

SHA256
76c5368bc68a16d5480f4daf1c6ffbe693693010b4a68ab0497682030f9ab2e7

SHA512
23ec0920dfa1b980d1d7e775de01938fd945f84b41d11d1b97c2cc0d3266a454622b53f83f22c92baf6b530bb1229e5150bf44407214413920ac7600a49d2d4a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
46d0078da863f546edd198dd22afc568

SHA1
f5f21a4dba66e5c40d35f6360f01e3f963e14aed

SHA256
5c34990326b2e1fb4da7df67ee56dc9027b08fe6149f95ccf54a02002bf6025a

SHA512
354536458b480bf4091da261187706d7a73d0f3cedc8d37b6e4a2cd22de750471aa3272ab5e6cfc2a3f75f5b1c0638b342452c078aeabb2cafd26df3234fedb5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
133d4cb0996d91b056a58708010378f8

SHA1
560ac3941caa4c7e4f26eaee0e3d16e123027c07

SHA256
1cfb21d1df4e507cfe820a0ce3eecd315ff731a162ee264204d287dde7935720

SHA512
23adcd7558e89c278ee191e933ee7ee9c4801487bd147d476df42d7d7c8a3c94e909c20b625d1a0882235ad24fc35f148b67f320467751445896c6112b7054be

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3f7f4dd1f6c3ece7e404b8181515aa8e

SHA1
127c3561ca46eba409c5a5010b60a82c186ff035

SHA256
272eb1151fe7dfa137243f8bdf655a0bf7b317de1759999c550731940624a0d9

SHA512
796cfa1304f62d5c32ccfdbf008b5d71860e6be6affcb4399e9705aa43fa221c3c298f19d60b57f6d58aad2c5c22ffa9e4f0349f175ccad5a640545b64e53c15

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3cccf464decab1403daa52eb2bd0cdfa

SHA1
a06bcd84d332daf8b72ee9167570d78ece1f4acc

SHA256
d9b7cfbd36021c6a905467b3c8281c2030162c64a9f3e92ccfecdb379a2c2f0a

SHA512
919d3b2c71367669c94b3b540acc67ac61f983e0dbadf378796c93120f1eb0d95317c17fb08f5aadd050710e4525ba54a6936d6ac986c306d9dd7c74923df7a7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1969f3495a986e0ea1525808e6ed3b76

SHA1
f6f6f218b12d7fb211e046fa03913eef733273c1

SHA256
fb75007f6dd7d6747c946c2be6a6d96c157348d30920220cb17b653f68b566c7

SHA512
ae7efd89aee2b87f551d8ebdedd2e88962f60e5d4bb750c306380f7ce324b6eb1d6e83ba19ed4a581906e5696e68467c15517a97b99f9cd3794e1ced172b254e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f08123b847542249b9157f0117f6212e

SHA1
7cd246530de90d35d18b8fdc5ab527b3f0eaf422

SHA256
a2c32887f05f8d4acdb1742dc8f740440b2224845589c8496ba9d79cc8f1a1c8

SHA512
1d569b07ad07df9c22c8ba7b0e9bc846f3b8acc83a1816e844e81269adb4c01f9792206286610435a3eced2749914e1340c7642b983d4208292b2ffb6085aae7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e7e9ba001aa0927078d464ae393bb043

SHA1
261e056b6f413d1cb185e15fb7db4b58c1f28d12

SHA256
298dd051920e496cfe7d801a4b3342c14840cf7bf14b494982392da415e54277

SHA512
8f97652a35199b7e4eb7f99a4d33664edfa0bbc45fe287e6484433a8539a7389e6d7fa168466351e57334ff6cf223121474ade627b42c721f9372cb870bce659

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b68d6e32dcbebc48dadd322f88465ea3

SHA1
ae7371469d76591b3dbcd5c2cc8402ecffefd5d7

SHA256
dceeafba749b44301762c42546cd7338bda49b126e97cbea5819cba2aee92f1a

SHA512
e5b6c20aa1288d40e33456ab00ab49731037ecb663a326391a5706b823341db3e57ff0847fb965d1b50f9342d8dfba8e41baa008c69f02a37e089ccebd52a0e0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9f15c6eb4f22c59da33d2f8b52403c35

SHA1
7f4dadb7fd62108c181662b243a48e40349f19dd

SHA256
8c766746be3688e11c2975729a321d5f969216aa71e0f016461d490c093dc9f5

SHA512
f8ce230f0850ecee1c5b4d79b14e1a0a0eab0b37932363cc7bfa83c01af307fba32aef3cd1494ab58f418b6689106dc071f9f96dc92ef02eba20e725a6c73642

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
47522c5af66c88837a44259e96efb0d2

SHA1
d7d6b1918789a1e25be96b98c9da04ce610e66ce

SHA256
c556d7e0430720278861f2ef8311dd38b38f08f80d985c28d2e8ec7c82b166db

SHA512
4ce77ead533f808b2cd00802c4c1cdd892633f29b9e7b8392ec53fa13248cd05cb936b0b2471d7f5fd04d2509c60749531023637b02d1d993775252a6f1cf482

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
452e81dc9ab5b01cef56afcf40311b5b

SHA1
1776dbde4301b71cf0c52005510f4cb7dfdbaaba

SHA256
8e5894fc09d30967a6687caf3bab06365b8ba19beba4b4e628bddbd9cfd4d760

SHA512
9f115f9d4029f8605b5c0568fb9db6a92b715998a016bf02344d024a001abe5151dadf2b44b25a7d53a116f41591ec999c8882a8975ecc91ae15da8d383d628c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c87b5e0fe49169d0c28237db1c6d87b3

SHA1
a38bc764b41931aaa16e1211e914d48121cfec9c

SHA256
dbd3e2afa2c156111464a8115ceb07fbaa674e810bdc5ddb761bc54b8232f89f

SHA512
b066f211c0c7891cde515d4a1957d29e309e890dc0d67eb70e63122fe6061b8eca90c1a8597683fd0b1992af1c354ed294e68ac8ef1fb6cb6c2792c60821511d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
357715abbe7e253020a3754aafce0b19

SHA1
7e0920f818e503273a1c9b1f10e93a7665384843

SHA256
0018c49966bf678d6eb21519668b7735d447ad7deb92606d134735e9e9da48b1

SHA512
ac85feff6d188d8749fd1ff9c25471f596ff9a6a7179d649a70904c296ae00d146178eb968b371fe61f002d1b3f4fe0eef80e795f667a1e9ec70ec081b05bf3c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2134b512f981aa38c5d449fcce419c83

SHA1
bafac422cca0d93b0af484332bdc7de8cb2d683f

SHA256
3b47c76a8074a7660e593ba0b825d487588a113c58aa2cb4f64acee7223a6a86

SHA512
a0ea1d87b4be45cf54d3e1205953f438a2fdfda0ed712eb14d8da91de7048ab88834eea3864c2d2f5117af66e5bc7861ddc52b8d64483d94b90738c51a24014b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
026348d2994e1ac10ab65a3b21c70829

SHA1
1583a300506a0381647b36cdc24d70f2f1a8e60e

SHA256
8eab6e4009ede9557dcd17a30c49a2ec087e06a7212ef24907705f45e78bc6f7

SHA512
8eb1de4b2e18f16b28d18b19133644f53d117c6610fdcc1994dcfd4b4226c112cff0a6d12c6df9690e576d553e93b1c5f1953d736e50ddbfe0f9717540bb7017

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f1a2cdd69c556c6837e757c4e1768ba2

SHA1
98cba60f0769fe421608b4c2e04918dd8e99fe90

SHA256
d0730a27de8e6eb1b8d7cbb0518200ab0764e9c3187778cbb8f9625123ba7eb4

SHA512
cbcfb424bc64dc21a6eecc33f9677256338e0e120f092a8ec04e712ef43eca50089a0ae78f519a953160e9ac4639840d36e2efaf5d71af50e482e1f419a15d36

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
27fa4696f7b25f4594dba534dd4fe159

SHA1
2b35442c25bfea5eaff25636dc54434fb730ce30

SHA256
d7318fa4017d147b242a63bc8d07186d4ee8f7f10a9aea9b48aa9b58d995972b

SHA512
63439361bcead898924df0c228424e55113dec58c20d5fb318ba62fdaf7c2419c2921a50b83ce3c598f141e18e3c3386ebec38ff06d5dd6701daeed6c9230f05

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
46b8e9495dc4ad061f4e6774ba1ebbd4

SHA1
a56c6782453dc3ce09581f1c708253c062e8c321

SHA256
9a0e05efb752444375ffe1c178262357f0786b999a411acdb09b748d52ed014a

SHA512
177a4cbf98b0c924fdcff88c31fead6ce55f9b78e61879c274fa82b9d762d8312b03c418e8f74855761c4c9f93c1c36f4c0913449a5341f5cadfe405f3a85a6a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6bf8f29d6ff1a40922dfc89c432240d2

SHA1
7689c782435c05154ea4e8c244534ad76aa7b130

SHA256
689fc70b45e2f8aacd118345c8f2b7fe1f7a3539508818923ddafce7828ba1e0

SHA512
45fba5563c841b51e6b5b3c12f3927783a1ff6c2f7f501fd780823783c4f11557256d2e43560479422bc47c7facc299ffaa818f91aecc5dd474fdb668cd1cdc2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7baaa75e58878cfba72ed4615ffb1a76

SHA1
4ff5b059e1c8560c647e50787f2f479096598bd1

SHA256
156c0da8c7d620eaed04291a8fd86ca5da771da2b108743cac7c8f12e6bedc9f

SHA512
fe19828ff9368904ec5f236c40d9ed498dd6183068bfb3ce2644c1a80bdde2a183a999d4229298c92494809eb2ae4bfdc61678d252a6b8833e7ff7bfe655d8e4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
527b93b37116c1966d5cdc8507210ffa

SHA1
eb47b6910d8e2ff65bbf7eae5cff8bb986f94ef4

SHA256
a65696af1c0a464e49e5dd582b4a72f8ae42ec354b7895ef970024c8a95be208

SHA512
7f7ba30b7a55ff9d9222fa29fa9de3816b8c57045941dfdbb1a16c16a377ab593352604857030a4084445d7fb19615f12023181e46ec46049744db46cf1c72e2

Download Submit
memory/764-662-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/764-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1028-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1028-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1028-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1028-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1532-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1532-56-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1532-42-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1532-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1532-35-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1752-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1824-5-0x0000000003DD0000-0x0000000003E37000-memory.dmp

Filesize
412KB

Download
memory/1824-0-0x0000000003DD0000-0x0000000003E37000-memory.dmp

Filesize
412KB

Download
memory/1824-9-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1824-33-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/1964-17-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1964-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1964-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1964-146-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2572-663-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2572-224-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2612-125-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2680-47-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2680-174-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2680-53-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2680-55-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2788-187-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2788-661-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2996-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2996-660-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2996-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3028-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3028-83-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3028-78-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3028-72-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/3028-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3092-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4312-175-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4312-657-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4328-30-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4328-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4328-44-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4356-86-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4356-106-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4436-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4436-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4556-501-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4556-159-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4668-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4668-668-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4680-162-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4680-646-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4836-112-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4836-223-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4976-666-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4976-235-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5020-667-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5020-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download